Visual Studio Code Tasks
VS Code Tasks launch scripts and processes directly from the editor - with no need to go through the command line.
XSS attacks can have serious consequences: from account takeovers and the theft of sensitive data to the manipulation of website content and the spread of malware.
A Simple Example
To better understand how an XSS attack works, let's look at a concrete example. Imagine a simple web application that includes a guestbook where visitors can leave messages.
1<form action="/submit_message" method="POST">2 <label for="message">Nachricht:</label>3 <input type="text" id="message" name="message">4 <input type="submit" value="Absenden">5</form>
Output without input sanitization:
1<div id="guestbook">2 <!-- Beispiel für eine gespeicherte Nachricht -->3 <p>Nachricht: Hallo, dies ist ein Test!</p>4</div>
Malicious input:
1<script>alert('XSS-Angriff!');</script>
Without input sanitization, the JavaScript alert would be executed. The resulting code would run. In this example it's just an alert, but in the wild these vulnerabilities are typically used to execute malicious code or steal data.
How to Protect Yourself Against XSS Vulnerabilities
There are several ways to protect against XSS vulnerabilities. The most effective are:
Input validation: All user input should be thoroughly checked and sanitized before it is processed or displayed.
Output encoding: User input should be encoded using HTML entities to ensure it is interpreted as text rather than code.
Content Security Policy (CSP): A CSP can help prevent the execution of untrusted script code.
Input Validation
It's always a good idea to check exactly what data is being stored.
For NodeJS, for example, sanitize-html can be used to clean the data right at input time.
In the Laravel ecosystem there are numerous packages, e.g.: Laravel-XSS-Protection.
In general, in a PHP context you can also help yourself strictly with the following code snippet:
1strip_tags("<script>alert(1);</script>");
Should there be reasons why no cleanup takes place here (e.g. the use of WYSIWYG editors), CSP and encoding offer two alternative approaches.
Output Encoding = Encoding
This refers to the conversion of potentially dangerous characters, e.g. < and >, into their HTML equivalent. > and <
In most cases, this can be done simply and easily:
Javascript (Vanilla)
1function encodeHTML(str) {2 const div = document.createElement('div');3 div.appendChild(document.createTextNode(str));4 return div.innerHTML;5}
PHP
1$output = htmlspecialchars("<script>alert(1);</script>");
Special Case: Markdown
When using Markdown, you should be aware that Markdown supports script execution by default, which can lead to an inherent XSS problem. In combination with Laravel, however, there is a useful helper method that can fix this problem:
1use Illuminate\Support\Str;2 3Str::inlineMarkdown('Inject: <script>alert("Hello XSS!")</script>', [4 'html_input' => 'strip',5 'allow_unsafe_links' => false,6]);
Statamic Helper Functions
In Statamic there are also additional modifiers that "sanitize" the output result
1<a href="{{ my_link | sanitize }}">My Link</a>
Content Security Policy (CSP)
Content Security Policy (CSP) is a powerful security feature that web developers can use to provide an additional layer of protection against various types of attacks such as Cross-Site Scripting (XSS) and data injection attacks. CSP allows developers to define a precise policy specifying which content may be loaded and executed from which sources on their website. By allowing only trusted sources for scripts, stylesheets, and other resources, developers can reduce the risk of malicious content being injected into and executed on their websites.
CSP is configured in the website's HTTP header, offering a flexible way to implement security policies without changes to existing code. This preventive measure is an essential part of modern web security and contributes significantly to ensuring the integrity and security of web applications.
In Laravel and NodeJS applications, this can easily be implemented through middleware:
1public function handle(Request $request, Closure $next) {2 3 // CSP-Header mit dem Nonce-Wert setzen4 $response = $next($request);5 $response->headers->set('Content-Security-Policy', "script-src 'self' https://www.youtube.com;");6 7 return $response;8}
Sometimes you also need to run inline scripts. There are two approaches to this. One option would be to enable unsafe-eval in the CSP. However, this again allows potential XSS vulnerabilities to be exploited.
An alternative is to add a nonce to <script> tags, which is also announced in the header. This tells the browser that these scripts are known and may be executed.
The extension to the previous middleware would look as follows:
1public function handle(Request $request, Closure $next) { 2 3 $nonce = Str::random(16); 4 5 // CSP-Header mit dem Nonce-Wert setzen 6 $response = $next($request); 7 $response->headers->set('Content-Security-Policy', "script-src 'self' 'nonce-$nonce' https://www.youtube.com;"); 8 9 // Nonce-Wert muss für inline code verwendet werden10 session(['cspnonce' => $nonce]);11 12 return $response;13}
A nonce attribute must also be added in the HTML code:
1<script nonce="{{ nonce }}">2 alert("Ich bin sicher");3</script>
For Statamic, it's advisable to create a custom tag element that handles the desired task and forwards the relevant parameters. However, this tag element has to be developed independently to meet the specific requirements and functionality.
Detecting XSS Vulnerabilities
Detecting Cross-Site Scripting (XSS) vulnerabilities is a crucial step in ensuring the security of web applications. Developers and security experts use a wide range of tools to identify and prevent potential XSS attacks. Automated scanners such as OWASP ZAP, Burp Suite, and Acunetix scan the code for known vulnerabilities and test input fields to determine whether malicious scripts can be injected. These tools analyze websites for insecure practices and provide detailed reports along with recommendations for fixing the security issues found. In addition, developers can also use static code analysis tools such as ESLint with specific plugins to catch security vulnerabilities as early as the development phase. Using these tools significantly reduces the likelihood of overlooking XSS vulnerabilities, resulting in a more secure and robust web application.
Useful Tool: XSStrike
Using the command-line tool XSStrike you can quickly scan your own site and check it for potential vulnerabilities. The tool supports a range of useful options and is ready to use quickly
Installing XSStrike
1$ git clone https://github.com/s0md3v/XSStrike.git2$ cd XSStrike3$ pip3 install -r requirements.txt
Testing a site with XSStrike:
1$ python3 xsstrike.py -u URL
Summary
Cross-Site Scripting (XSS) represents a significant threat to the security of web applications. These attacks can compromise sensitive data, take over user accounts, and jeopardize the integrity of websites. The variety of XSS attacks, ranging from reflected to stored to DOM-based, highlights the need for a comprehensive security approach. Developers must apply proven security practices such as input validation, output encoding, and the implementation of Content Security Policies (CSP). In addition, automated security tools play an important role in detecting and preventing XSS vulnerabilities. By being aware of the risks and implementing appropriate protective measures, developers and organizations can effectively defend their web applications against XSS attacks, thereby ensuring the security and trust of their users.
Feel like cooking this up together?
Whether it's an idea, a refactor, or a new build — tell us briefly about your project. We'll get back to you within 24 hours.
Weiterlesen
15. Jun 2026
Building Responsive Images: The Complete srcset & sizes Guide
Responsive images without hand-waving: how srcset and sizes really work, picture for art direction — and how to generate the variants instead of maintaining them by hand.
06. Jun 2026
Core Web Vitals Are an Image Problem – And How Fairu Solves It
LCP is the Core Web Vital most sites fail — and images are almost always to blame. How Fairu gets them passing, with no pipeline of your own.
10. May 2026
Release 1.109 - Now supports google + github login
Starting today, you can sign in to Fairu with Google or GitHub — no separate password needed anymore.