Missing Input Sanitization in Vibecoded Apps

Test by entering HTML and JavaScript in every input field. Type <script>alert('xss')</script> into name fields, descriptions, and comments. If an alert box appears or the HTML is rendered as markup instead of text, the app is vulnerable to XSS. Check if special characters like angle brackets, quotes, and ampersands are displayed correctly or are being interpreted as code.

Look for user-generated content displayed elsewhere in the app. Profile names shown in comments, search terms reflected in the URL or page content, and form data displayed in confirmation screens are all places where unsanitized input can execute malicious code.

Create a systematic test by entering known XSS payloads into every input field and checking where that input is displayed. Try inputs like <img src=x onerror=alert(1)>, javascript:alert(1) in URL fields, and SQL fragments like ' OR 1=1-- in search and login fields.

Test rich text editors and markdown inputs especially carefully. These features are designed to accept formatted content but must still sanitize dangerous elements. Check if users can embed iframes, scripts, or event handlers through these inputs.

Never use dangerouslySetInnerHTML in React without sanitizing the content first with a library like DOMPurify. Use parameterized queries for all database operations — never concatenate user input into SQL strings. Encode output appropriate to the context: HTML-encode for HTML, URL-encode for URLs, and JavaScript-encode for inline scripts.

Implement Content Security Policy (CSP) headers as a defense-in-depth measure. Even if an XSS vulnerability exists, a strict CSP prevents inline scripts from executing. Validate and sanitize on both the client and server side — client-side sanitization alone is trivially bypassed.