Last updated: April 29, 2026
XSS (Cross-Site Scripting) was the first “client-side is a target” vulnerability class. In 2026, it still appears in audits because modern frameworks aren’t magic — they defend against the common cases but not the contextual ones. Understanding WHY XSS persists is more important than learning payloads that frameworks already block. Let’s focus on what keeps finding its way through.
Why this happens
HTML is a language with multiple sub-contexts. Inside a page you have: HTML element content, HTML attribute values, JavaScript code, CSS values, URL attribute values, JSON inside a script tag. Each context has its own escape rules. React, Angular, Vue escape “HTML element content” by default (good — stops 80% of XSS). But the moment you render into a different context — a URL, a CSS value, a JSON-in-script — that default escaping is wrong or insufficient.
Developers think: “my framework escapes output, so I’m safe.” The truth: “my framework escapes the one context it knows about, and I’m safe in that one context only.” Every other context is a fresh decision.
Meanwhile, attackers are testing every sink. The payload that works in an element body won’t work in a URL, and vice versa. Modern XSS hunters know the contexts better than the framework authors who built the defaults.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.