XSS Protection — Complete Guide
XSS Protection — Complete Guide: free step-by-step lesson with examples, common mistakes, and interview tips — part of React.js Tutorial on Toolliyo Academy.
On this page
React.js Tutorial · Lesson 81 of 100
XSS Protection
Beginner ✓ → Intermediate ✓ → Advanced ✓ → Professional
Professional · 4 — ShopCart projects · ~25 min read · Module 9: Testing & Deployment
Introduction
Professional project lesson: XSS Protection. You will put together routing, data, and UI like a portfolio app. Build one piece at a time — do not rush. XSS (Cross-Site Scripting) is when attackers inject script into your page. In React, avoid dangerouslySetInnerHTML with user content; escape output; use CSP headers. Stolen sessions and defaced pages come from rendering untrusted HTML or URLs.
A app on your laptop is not finished until it runs somewhere others can open a URL.
When will you use this?
Use when you are ready to put the app online for users or employers to see.
- Shipping means tests pass, build succeeds, and Docker or Azure hosts the static files.
- Companies run CI so broken code never reaches users.
Real-world: sanitize user bio
Social profile displays user bio — never dangerouslySetInnerHTML with raw input; React escapes text by default.
Production-style code
function UserBio({ bio }) {
// ✅ Safe — React escapes HTML in {bio}
return <p className="bio">{bio}</p>;
}
// ❌ Never do this with user content:
function UnsafeBio({ html }) {
return <div dangerouslySetInnerHTML={{ __html: html }} />;
}
// If rich text required — use DOMPurify on server + client
import DOMPurify from 'dompurify';
const clean = DOMPurify.sanitize(untrustedHtml);
What happens in production: XSS steals sessions — default JSX escaping stops most attacks; sanitize when HTML is required.
Lesson example (start here)
Copy this smaller example first. Once it works, compare it with the real-world code above.
// ❌ Dangerous
<div dangerouslySetInnerHTML={{ __html: userBio }} />
// ✅ Safe — React escapes text by default
<p>{userBio}</p>
Line-by-line walkthrough
| Code | What it means |
|---|---|
// ❌ Dangerous | Comment — notes for humans; the computer ignores it. |
<div dangerouslySetInnerHTML={{ __html: userBio }} /> | JSX tag — a UI element or custom component on the page. |
// ✅ Safe — React escapes text by default | Comment — notes for humans; the computer ignores it. |
<p>{userBio}</p> | JSX tag — a UI element or custom component on the page. |
How it works (big picture)
- React escapes {userBio} in JSX.
- dangerouslySetInnerHTML bypasses that — only use with sanitized HTML from a trusted library like DOMPurify.
Do this on your computer
- Never insert raw user HTML without sanitizing.
- Add Content-Security-Policy header on server.
- Validate URLs in href attributes.
- Read the real-world section and name which part of the app uses this topic.
- Run the example locally and confirm the same behavior in the browser.
- Change one value in the example (text, initial state, or URL) and predict what will happen before you save.
Experiments — try changing this
- Change text or labels in the example and save — watch the browser update.
- Break the code on purpose (remove a bracket), read the error message, then fix it.
Remember
React text in JSX is escaped by default. Avoid dangerouslySetInnerHTML with user data. Use CSP headers.
Common questions
Is React XSS-safe?
Mostly for text; unsafe patterns and APIs can still introduce XSS.
How long should I spend on XSS Protection?
Until you can explain it in your own words and run the example without looking at the answer. Beginners often need 30–60 minutes per new hook or routing topic; setup lessons may take one afternoon.
What if I get stuck on XSS Protection?
Re-read the line-by-line walkthrough, check the browser console for red errors, and compare your code character-by-character with the example. Search the exact error text — someone else had it too.
Where is XSS Protection used in real jobs?
See the real-world section above — the same pattern appears in LMS, banking, e-commerce, and SaaS products. Interviewers ask you to explain it using one concrete example from your project or this lesson.
Sign in to ask a question or upvote helpful answers.
No questions yet — be the first to ask!