Chrome 146 Beta is here → goo.gle/4apWcRP
We’re adding CSS scroll-triggered animations for smoother UI, a native Sanitizer API to stop XSS, and WebGPU Compatibility mode for older hardware. Plus, new text-indent keywords for better typography.
We’re adding CSS scroll-triggered animations for smoother UI, a native Sanitizer API to stop XSS, and WebGPU Compatibility mode for older hardware. Plus, new text-indent keywords for better typography.
February 17, 2026 at 10:00 PM
Chrome 146 Beta is here → goo.gle/4apWcRP
We’re adding CSS scroll-triggered animations for smoother UI, a native Sanitizer API to stop XSS, and WebGPU Compatibility mode for older hardware. Plus, new text-indent keywords for better typography.
We’re adding CSS scroll-triggered animations for smoother UI, a native Sanitizer API to stop XSS, and WebGPU Compatibility mode for older hardware. Plus, new text-indent keywords for better typography.
I built on that by figuring out how to do statically what they were doing by dynamic analysis.
That led to the security layers for Closure Templates, Golang's html/template & polymer/lit, and to zero XSS over the last decade in Gmail and other projects.
bughunters.google.com/blog/secure-...
That led to the security layers for Closure Templates, Golang's html/template & polymer/lit, and to zero XSS over the last decade in Gmail and other projects.
bughunters.google.com/blog/secure-...
![Two rows from a three column table. The column headers, not shown, are [Control, Risk Category, Description].
SafeResponse Types
Injection
An automated conformance check should ensure that all HTTP responses are built via API abstractions that guarantee that they are constructed in an XSS-free way, for example via a safe auto-escaping template system.
Contextual Auto-Escaping Template System
Injection
All HTML responses should be built by a template system that supports contextual auto-escaping to guarantee the response is free of XSS vulnerabilities.](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:xnx52zdoyuf777kntfughiwa/bafkreieyg6vmtuhrsccv23onjz7cwedvk2kyq5itczff7lr2m5fwqxvtje@jpeg)
February 9, 2026 at 5:43 PM
I built on that by figuring out how to do statically what they were doing by dynamic analysis.
That led to the security layers for Closure Templates, Golang's html/template & polymer/lit, and to zero XSS over the last decade in Gmail and other projects.
bughunters.google.com/blog/secure-...
That led to the security layers for Closure Templates, Golang's html/template & polymer/lit, and to zero XSS over the last decade in Gmail and other projects.
bughunters.google.com/blog/secure-...
…とまあ、散々やられてきた生成系へのカウンターがAA、っていう笑い話なのでノリノリで遊んでますが、ふつーーの入力フォームとかでもサイトの作りが甘いとシステムがぶっ壊れたり、XSSのようなハッキングにも使われる技術なんで、技術者としてみると、わりと背筋の冷える話でもあったりします
…とはいえ、こんな初歩的な脆弱性も対策できてないのか、生成系は…
いや、あまねく文を取り込む学習という性質上、対策のしようがないのかもなぁ
なんかこう、すごいな
…とはいえ、こんな初歩的な脆弱性も対策できてないのか、生成系は…
いや、あまねく文を取り込む学習という性質上、対策のしようがないのかもなぁ
なんかこう、すごいな
February 4, 2026 at 2:08 PM
…とまあ、散々やられてきた生成系へのカウンターがAA、っていう笑い話なのでノリノリで遊んでますが、ふつーーの入力フォームとかでもサイトの作りが甘いとシステムがぶっ壊れたり、XSSのようなハッキングにも使われる技術なんで、技術者としてみると、わりと背筋の冷える話でもあったりします
…とはいえ、こんな初歩的な脆弱性も対策できてないのか、生成系は…
いや、あまねく文を取り込む学習という性質上、対策のしようがないのかもなぁ
なんかこう、すごいな
…とはいえ、こんな初歩的な脆弱性も対策できてないのか、生成系は…
いや、あまねく文を取り込む学習という性質上、対策のしようがないのかもなぁ
なんかこう、すごいな
I'm not a professional but:
- Site needs a content security policy to limit access to queries
- Site needs a frame security policy
- JS, CSS, Webmail, cPanel need to be secured/hidden
- "X-Content-Type-Options" header needs a "nosniff" value to make future XSS attacks difficult
- Site needs a content security policy to limit access to queries
- Site needs a frame security policy
- JS, CSS, Webmail, cPanel need to be secured/hidden
- "X-Content-Type-Options" header needs a "nosniff" value to make future XSS attacks difficult
February 1, 2026 at 7:24 PM
I'm not a professional but:
- Site needs a content security policy to limit access to queries
- Site needs a frame security policy
- JS, CSS, Webmail, cPanel need to be secured/hidden
- "X-Content-Type-Options" header needs a "nosniff" value to make future XSS attacks difficult
- Site needs a content security policy to limit access to queries
- Site needs a frame security policy
- JS, CSS, Webmail, cPanel need to be secured/hidden
- "X-Content-Type-Options" header needs a "nosniff" value to make future XSS attacks difficult
Had a fun XSS gadget chain with antoniusblock on a real world target, he made an awesome writeup:
blog.antoniusblock.net/posts/dom-cl...
blog.antoniusblock.net/posts/dom-cl...
A CTF-Style XSS Chain in the Wild: DOM Clobbering, Gadgets, and CSP Bypass
A bug bounty target that unexpectedly felt like a CTF. What began as simple recon turned into a nice chain of discoveries that ultimately led to a valid XSS
blog.antoniusblock.net
February 1, 2026 at 9:31 AM
Had a fun XSS gadget chain with antoniusblock on a real world target, he made an awesome writeup:
blog.antoniusblock.net/posts/dom-cl...
blog.antoniusblock.net/posts/dom-cl...
everytime I see a new xss in an atproto app
MACKLEMORE & RYAN LEWIS - THRIFT SHOP FEAT. WANZ (OFFICIAL VIDEO)
YouTube video by Macklemore
youtu.be
January 30, 2026 at 12:24 AM
everytime I see a new xss in an atproto app
January 29, 2026 at 11:31 PM
We've just hit a very important milestone - our XSS Cheat Sheet now has 1337 vectors!
Browse them here: portswigger.net/web-security...
Browse them here: portswigger.net/web-security...
January 28, 2026 at 1:38 PM
We've just hit a very important milestone - our XSS Cheat Sheet now has 1337 vectors!
Browse them here: portswigger.net/web-security...
Browse them here: portswigger.net/web-security...
well that means the XSS attack failed. so all good
January 22, 2026 at 7:12 PM
well that means the XSS attack failed. so all good
A cross-site scripting (XSS) flaw in the web-based control panel used by operators of the StealC info-stealing malware allowed researchers to observe active sessions and gather intelligence on the attackers' hardware.
StealC hackers hacked as researchers hijack malware control panels
A cross-site scripting (XSS) flaw in the web-based control panel used by operators of the StealC info-stealing malware allowed researchers to observe active sessions and gather intelligence on the attackers' hardware.
www.bleepingcomputer.com
January 16, 2026 at 9:00 PM
A cross-site scripting (XSS) flaw in the web-based control panel used by operators of the StealC info-stealing malware allowed researchers to observe active sessions and gather intelligence on the attackers' hardware.
CISA’s secure-software buying tool had a simple XSS vulnerability of its own
cyberscoop.com/cisa-secure-...
cyberscoop.com/cisa-secure-...
CISA’s secure-software buying tool had a simple XSS vulnerability of its own
A Cybersecurity and Infrastructure Security Agency tool dedicated to helping government agencies buy secure software turned out to have a cybersecurity vulnerability of its own.
cyberscoop.com
January 15, 2026 at 10:49 PM
CISA’s secure-software buying tool had a simple XSS vulnerability of its own
cyberscoop.com/cisa-secure-...
cyberscoop.com/cisa-secure-...
I had an XSS issue I wanted fixed quickly, so naturally I had my Bishop fabricate Claims on a neighboring County. Long story short, I have reconstituted the Roman Empire as a vassal state of the Mongol Khanate and I *still* have the XSS issue
January 14, 2026 at 8:09 PM
I had an XSS issue I wanted fixed quickly, so naturally I had my Bishop fabricate Claims on a neighboring County. Long story short, I have reconstituted the Roman Empire as a vassal state of the Mongol Khanate and I *still* have the XSS issue
wtf bsky.app speichert langlebige access token im localstorage des browsers und als waere das nicht genug auch noch die eigene ip und die mit dem account verbundene email adresse alles was im localstorage liegt kann von javascript ausgelesen und somit einfach bei XSS bugs exfiltriert werden
January 15, 2026 at 6:20 AM
wtf bsky.app speichert langlebige access token im localstorage des browsers und als waere das nicht genug auch noch die eigene ip und die mit dem account verbundene email adresse alles was im localstorage liegt kann von javascript ausgelesen und somit einfach bei XSS bugs exfiltriert werden
⚠️ An XSS vulnerability on your website is an open door for hackers!
They can steal data, inject malicious content, and damage your reputation.
Want to avoid that? Scan your website now for free with the C3S beta
Link in bio ⚡️
#CyberSecurity #VulnerabilityScanning #web #AI
They can steal data, inject malicious content, and damage your reputation.
Want to avoid that? Scan your website now for free with the C3S beta
Link in bio ⚡️
#CyberSecurity #VulnerabilityScanning #web #AI
January 15, 2026 at 4:05 PM
⚠️ An XSS vulnerability on your website is an open door for hackers!
They can steal data, inject malicious content, and damage your reputation.
Want to avoid that? Scan your website now for free with the C3S beta
Link in bio ⚡️
#CyberSecurity #VulnerabilityScanning #web #AI
They can steal data, inject malicious content, and damage your reputation.
Want to avoid that? Scan your website now for free with the C3S beta
Link in bio ⚡️
#CyberSecurity #VulnerabilityScanning #web #AI
🚨 EUVD-2026-1579
📊 n/a
🏢 Noor alam
📝 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Noor Alam Easy Media Download easy-media-download allows Refle...
🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-1579
#cybersecurity #infosec #cve #euvd
📊 n/a
🏢 Noor alam
📝 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Noor Alam Easy Media Download easy-media-download allows Refle...
🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-1579
#cybersecurity #infosec #cve #euvd
January 12, 2026 at 10:31 PM
🚨 EUVD-2026-1579
📊 n/a
🏢 Noor alam
📝 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Noor Alam Easy Media Download easy-media-download allows Refle...
🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-1579
#cybersecurity #infosec #cve #euvd
📊 n/a
🏢 Noor alam
📝 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Noor Alam Easy Media Download easy-media-download allows Refle...
🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-1579
#cybersecurity #infosec #cve #euvd
CVE-2025-40975 - Multiple vulnerabilities in WorkDo products
CVE ID : CVE-2025-40975
Published : Jan. 12, 2026, 12:16 p.m. | 1 hour, 13 minutes ago
Description : Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's HRMGo, consisting of a lack of proper validation ...
CVE ID : CVE-2025-40975
Published : Jan. 12, 2026, 12:16 p.m. | 1 hour, 13 minutes ago
Description : Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's HRMGo, consisting of a lack of proper validation ...
CVE-2025-40975 - Multiple vulnerabilities in WorkDo products
Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's HRMGo, consisting of a lack of proper validation of user input by sending a POST request to ‘/hrmgo/ticket/changereply’, using the ‘description’ parameter.
cvefeed.io
January 12, 2026 at 1:47 PM
CVE-2025-40975 - Multiple vulnerabilities in WorkDo products
CVE ID : CVE-2025-40975
Published : Jan. 12, 2026, 12:16 p.m. | 1 hour, 13 minutes ago
Description : Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's HRMGo, consisting of a lack of proper validation ...
CVE ID : CVE-2025-40975
Published : Jan. 12, 2026, 12:16 p.m. | 1 hour, 13 minutes ago
Description : Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's HRMGo, consisting of a lack of proper validation ...
If the actual story is "Your discord account is vulnerable if you click this link through Discord", then That would be the fucking news.
But, I imagine most people who spread shit like this either don't know what an XSS exploit is, or they're willingly spreading misinformation for clout.
But, I imagine most people who spread shit like this either don't know what an XSS exploit is, or they're willingly spreading misinformation for clout.
January 11, 2026 at 2:39 AM
If the actual story is "Your discord account is vulnerable if you click this link through Discord", then That would be the fucking news.
But, I imagine most people who spread shit like this either don't know what an XSS exploit is, or they're willingly spreading misinformation for clout.
But, I imagine most people who spread shit like this either don't know what an XSS exploit is, or they're willingly spreading misinformation for clout.
without any XSS exploit or deliberate "put your password here" type thing a website can not steal your account from another website
also XSS exploits are kinda valuable things and would not be wasted on a fake survey site
also XSS exploits are kinda valuable things and would not be wasted on a fake survey site
January 11, 2026 at 5:27 AM
without any XSS exploit or deliberate "put your password here" type thing a website can not steal your account from another website
also XSS exploits are kinda valuable things and would not be wasted on a fake survey site
also XSS exploits are kinda valuable things and would not be wasted on a fake survey site
it would be more likely to be CSRF, and discord store their access token in local storage so a external site will not be able to get. XSS to get the token would require something running in discord rather than a external site
January 11, 2026 at 11:53 AM
it would be more likely to be CSRF, and discord store their access token in local storage so a external site will not be able to get. XSS to get the token would require something running in discord rather than a external site
I've just published a test vector for the XSS attack vector via javascript: URIs in link facets here: bsky.app/profile/test...
The record can be seen here: pdsls.dev/at://did:plc...
The record can be seen here: pdsls.dev/at://did:plc...
January 9, 2026 at 1:18 AM
I've just published a test vector for the XSS attack vector via javascript: URIs in link facets here: bsky.app/profile/test...
The record can be seen here: pdsls.dev/at://did:plc...
The record can be seen here: pdsls.dev/at://did:plc...
code blocks are not enough
i need embeds running arbitrary third party interfaces on bsky
i need XSS injection on the atmosphere
i want little widgets on my feed!!!
i need embeds running arbitrary third party interfaces on bsky
i need XSS injection on the atmosphere
i want little widgets on my feed!!!
Are there plans to add syntax highlighting to code blocks and inline code to Bluesky? It is one of the top features devs appreciated in Elk. Being able to share a11y code snippets instead of images makes a huge diff. I think it could help a lot to promote tinkering with the protocol among devs
January 8, 2026 at 10:57 PM
code blocks are not enough
i need embeds running arbitrary third party interfaces on bsky
i need XSS injection on the atmosphere
i want little widgets on my feed!!!
i need embeds running arbitrary third party interfaces on bsky
i need XSS injection on the atmosphere
i want little widgets on my feed!!!
Should do, unless the attacker manages to get the DPoP key as well, so probably better to just avoid XSS attacks in the first place.
January 8, 2026 at 6:33 PM
Should do, unless the attacker manages to get the DPoP key as well, so probably better to just avoid XSS attacks in the first place.
This would have been a XSS on the landing page and could affect you if you visited the page and a bad actor had posted this malicious record on the PDS.
It is never fun to find a vulnerability that could put users at risk that trust you as a dev, and for that I apologize and feel awful about it.
It is never fun to find a vulnerability that could put users at risk that trust you as a dev, and for that I apologize and feel awful about it.
January 8, 2026 at 4:22 PM
This would have been a XSS on the landing page and could affect you if you visited the page and a bad actor had posted this malicious record on the PDS.
It is never fun to find a vulnerability that could put users at risk that trust you as a dev, and for that I apologize and feel awful about it.
It is never fun to find a vulnerability that could put users at risk that trust you as a dev, and for that I apologize and feel awful about it.
In the official bluesky client, the facet is a link, but the href is about:blank, not the `javascript:...` URI. So it's not an XSS attack that works.
January 8, 2026 at 2:47 AM
In the official bluesky client, the facet is a link, but the href is about:blank, not the `javascript:...` URI. So it's not an XSS attack that works.
Though it is a good reminder that if your AT Protocol application works with Facets and links, you should be running the link through something like npm.im/@braintree/s... to prevent XSS attacks.
Don't just render an , always sanitize.
Don't just render an , always sanitize.
npm.im
January 8, 2026 at 2:56 AM
Though it is a good reminder that if your AT Protocol application works with Facets and links, you should be running the link through something like npm.im/@braintree/s... to prevent XSS attacks.
Don't just render an , always sanitize.
Don't just render an , always sanitize.