https://www.secdev.uk/blog/tags/cross-site-scripting/ Recent content in Cross-Site Scripting on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 01 Feb 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-02-01-xss-is-not-just-a-javascript-problem/ Sat, 01 Feb 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-02-01-xss-is-not-just-a-javascript-problem/ <p>Cross-site scripting gets framed as a front-end problem a lot, something that happens in JavaScript and gets fixed with JavaScript. But the more I dug into this, the clearer it became that XSS vulnerabilities almost always originate on the server side, in whatever language is generating the HTML. I&rsquo;ve found XSS in Python templates, Java JSPs, Go&rsquo;s <code>html/template</code> misuse, Rust web frameworks, and server-rendered JavaScript. The language you write your backend in determines which XSS patterns you&rsquo;ll run into and which ones will sneak past your review.</p>