[{"data":1,"prerenderedAt":394},["ShallowReactive",2],{"blog-prompts/fix-xss-vulnerabilities":3},{"id":4,"title":5,"body":6,"category":373,"date":374,"dateModified":375,"description":376,"draft":377,"extension":378,"faq":379,"featured":377,"headerVariant":380,"image":379,"keywords":379,"meta":381,"navigation":382,"ogDescription":383,"ogTitle":379,"path":384,"readTime":379,"schemaOrg":385,"schemaType":386,"seo":387,"sitemap":388,"stem":389,"tags":390,"twitterCard":392,"__hash__":393},"blog/blog/prompts/fix-xss-vulnerabilities.md","Fix XSS Vulnerabilities with AI Prompts",{"type":7,"value":8,"toc":363},"minimark",[9,16,21,24,101,105,108,148,158,162,165,219,223,226,284,293,309,313,316,337,351],[10,11,12],"tldr",{},[13,14,15],"p",{},"XSS lets attackers inject malicious scripts into your pages. The fix is contextual output encoding - escape differently for HTML, JavaScript, URLs, and CSS. Modern frameworks help, but dangerouslySetInnerHTML and similar bypass protections. These prompts help you find and fix XSS.",[17,18,20],"h2",{"id":19},"xss-vulnerability-audit","XSS Vulnerability Audit",[13,22,23],{},"Paste this prompt to have your AI scan your frontend for every type of XSS vulnerability. You'll get a report covering dangerous innerHTML usage, unencoded URL parameters, eval calls, and missing CSP headers, with file locations and fix instructions.",[25,26,28,31,38,41,69,72,87,90],"prompt-box",{"title":27},"Find XSS Vulnerabilities",[13,29,30],{},"Scan my codebase for potential XSS vulnerabilities.",[13,32,33,34],{},"Framework: ",[35,36,37],"span",{},"React/Vue/Svelte/Vanilla JS",[13,39,40],{},"Look for:",[42,43,44,48,51,54,57,60,63,66],"ol",{},[45,46,47],"li",{},"dangerouslySetInnerHTML (React)",[45,49,50],{},"v-html directive (Vue)",[45,52,53],{},"{@html} tag (Svelte)",[45,55,56],{},"innerHTML assignments",[45,58,59],{},"document.write()",[45,61,62],{},"eval() with user input",[45,64,65],{},"URL parameters rendered without encoding",[45,67,68],{},"User data in script tags",[13,70,71],{},"For each finding report:",[73,74,75,78,81,84],"ul",{},[45,76,77],{},"File and line number",[45,79,80],{},"Type of XSS risk (stored, reflected, DOM)",[45,82,83],{},"User input source",[45,85,86],{},"How to fix",[13,88,89],{},"Also check:",[73,91,92,95,98],{},[45,93,94],{},"Are CSP headers configured?",[45,96,97],{},"Is user content sanitized before storage?",[45,99,100],{},"Are third-party scripts loaded safely?",[17,102,104],{"id":103},"fix-react-xss","Fix React XSS",[13,106,107],{},"Copy this prompt to fix XSS vulnerabilities specific to React apps. Your AI will address dangerouslySetInnerHTML misuse, URL injection via href attributes, and event handler injection, plus create a reusable SafeHTML component with DOMPurify.",[25,109,111,114,117,128,131,145],{"title":110},"Secure React Rendering",[13,112,113],{},"Fix XSS vulnerabilities in my React application.",[13,115,116],{},"Problem patterns to fix:",[42,118,119,122,125],{},[45,120,121],{},"dangerouslySetInnerHTML with user content:\nBAD:\nFIX: Use DOMPurify to sanitize or render as text",[45,123,124],{},"URL injection:\nBAD:\nFIX: Validate URL protocol (no javascript:)",[45,126,127],{},"Event handler injection:\nBAD:\nFIX: Never use user input as event handlers",[13,129,130],{},"Solutions:",[73,132,133,136,139,142],{},[45,134,135],{},"Install DOMPurify: npm install dompurify",[45,137,138],{},"Sanitize: DOMPurify.sanitize(userHtml)",[45,140,141],{},"For markdown: use marked + DOMPurify",[45,143,144],{},"Validate URLs: new URL(input).protocol check",[13,146,147],{},"Show me how to create a SafeHTML component that sanitizes before rendering.",[149,150,151],"warning-box",{},[13,152,153,157],{},[154,155,156],"strong",{},"React doesn't protect you everywhere:"," While React escapes by default, dangerouslySetInnerHTML, href attributes, and style objects can still be XSS vectors. Don't assume you're safe.",[17,159,161],{"id":160},"sanitize-rich-text","Sanitize Rich Text",[13,163,164],{},"Use this prompt to safely render user-provided HTML or markdown (blog posts, comments, bios). Your AI will set up DOMPurify with an allowlist of safe tags and attributes, plus a reusable component for sanitized rendering.",[25,166,168,171,174,177,191,202,205,216],{"title":167},"Safe Rich Text Rendering",[13,169,170],{},"Implement safe rendering of user-provided HTML/markdown.",[13,172,173],{},"Use case: Blog posts, comments with formatting, user bios",[13,175,176],{},"Approach:",[42,178,179,182,185,188],{},[45,180,181],{},"Sanitize on output (not just input)",[45,183,184],{},"Use allowlist of safe tags",[45,186,187],{},"Strip dangerous attributes (onclick, onerror)",[45,189,190],{},"Validate URLs in href/src",[13,192,193,194,197,198,201],{},"Using DOMPurify:\nconst clean = DOMPurify.sanitize(dirty, {\nALLOWED_TAGS: ",[35,195,196],{},"'b', 'i', 'em', 'strong', 'a', 'p', 'br'",",\nALLOWED_ATTR: ",[35,199,200],{},"'href'",",\nALLOW_DATA_ATTR: false\n});",[13,203,204],{},"For markdown:",[42,206,207,210,213],{},[45,208,209],{},"Parse markdown to HTML",[45,211,212],{},"Sanitize the HTML output",[45,214,215],{},"Then render",[13,217,218],{},"Create reusable component that accepts markdown/HTML\nand renders it safely with appropriate sanitization.",[17,220,222],{"id":221},"dom-based-xss-prevention","DOM-based XSS Prevention",[13,224,225],{},"Paste this prompt to find and fix DOM-based XSS in your JavaScript. Your AI will trace every path from user-controlled sources (location.hash, postMessage, etc.) to dangerous sinks (innerHTML, eval, document.write) and replace them with safe alternatives.",[25,227,229,232,235,252,255,275,278,281],{"title":228},"Fix DOM XSS",[13,230,231],{},"Find and fix DOM-based XSS in my JavaScript code.",[13,233,234],{},"DOM XSS sources (user input):",[73,236,237,240,243,246,249],{},[45,238,239],{},"location.hash",[45,241,242],{},"location.search",[45,244,245],{},"document.referrer",[45,247,248],{},"window.name",[45,250,251],{},"postMessage data",[13,253,254],{},"DOM XSS sinks (dangerous functions):",[73,256,257,260,263,266,269,272],{},[45,258,259],{},"innerHTML",[45,261,262],{},"outerHTML",[45,264,265],{},"document.write",[45,267,268],{},"eval()",[45,270,271],{},"setTimeout/setInterval with strings",[45,273,274],{},"element.setAttribute for event handlers",[13,276,277],{},"Fix pattern:\n// BAD\nelement.innerHTML = location.hash.slice(1);",[13,279,280],{},"// GOOD\nelement.textContent = location.hash.slice(1);\n// or sanitize if HTML needed",[13,282,283],{},"Review my code for DOM XSS patterns and show fixes.\nUse textContent instead of innerHTML where possible.",[285,286,287],"tip-box",{},[13,288,289,292],{},[154,290,291],{},"Pro tip:"," Add Content Security Policy headers as defense-in-depth. Even if XSS exists, CSP can prevent inline scripts from executing. It's not a fix, but limits damage.",[294,295,296,303],"faq-section",{},[297,298,300],"faq-item",{"question":299},"What's the difference between stored and reflected XSS?",[13,301,302],{},"Stored XSS is saved in your database and shown to other users (more dangerous). Reflected XSS comes from the URL and only affects users who click malicious links. Both need fixing.",[297,304,306],{"question":305},"Is encoding enough to prevent XSS?",[13,307,308],{},"Contextual encoding is the primary defense. But you need different encoding for HTML body, attributes, JavaScript, URLs, and CSS. One encoding doesn't fit all contexts.",[17,310,312],{"id":311},"further-reading","Further Reading",[13,314,315],{},"Want to understand the vulnerability before fixing it? These guides explain what's happening and why.",[73,317,318,325,331],{},[45,319,320],{},[321,322,324],"a",{"href":323},"/blog/vulnerabilities/xss","XSS vulnerabilities explained",[45,326,327],{},[321,328,330],{"href":329},"/blog/how-to/protect-against-xss","How to prevent XSS",[45,332,333],{},[321,334,336],{"href":335},"/blog/vulnerabilities/exposed-api-keys","Understanding exposed API keys",[338,339,340,346],"related-articles",{},[341,342],"related-card",{"description":343,"href":344,"title":345},"Input validation patterns","/blog/prompts/sanitize-user-input","Sanitize User Input",[341,347],{"description":348,"href":349,"title":350},"Defense in depth","/blog/prompts/add-csp-headers","Add CSP Headers",[352,353,356,360],"cta-box",{"href":354,"label":355},"/","Start Free Scan",[17,357,359],{"id":358},"find-xss-in-your-code","Find XSS in Your Code",[13,361,362],{},"Scan your frontend for Cross-Site Scripting vulnerabilities.",{"title":364,"searchDepth":365,"depth":365,"links":366},"",2,[367,368,369,370,371,372],{"id":19,"depth":365,"text":20},{"id":103,"depth":365,"text":104},{"id":160,"depth":365,"text":161},{"id":221,"depth":365,"text":222},{"id":311,"depth":365,"text":312},{"id":358,"depth":365,"text":359},"prompts","2026-02-18","2026-03-06","AI prompts to fix Cross-Site Scripting (XSS) vulnerabilities. Escape output, sanitize input, and implement CSP to prevent script injection attacks.",false,"md",null,"cyan",{},true,"AI prompts to find and fix XSS vulnerabilities in your frontend.","/blog/prompts/fix-xss-vulnerabilities","[object Object]","BlogPosting",{"title":5,"description":376},{"loc":384},"blog/prompts/fix-xss-vulnerabilities",[391],"Critical","summary_large_image","mV_TBbBkvSSqoEBx9sO3EHHYCv2mqfDszqLt49cVMNE",1775843921435]