Cross site scripting, or XSS, is a form of attack on a web application which involves executing code on a user's browser. Output encoding is a defense against XSS attacks.
To get a more extensive understanding of XSS, see excess xss.
Protecting from XSS attacks requires developers to consider how data is being displayed on a page. If the data could come from a user's input in any way (including through the site's URL), then correct encoding of the output has to be considered.
The excess xss prevention section has up-to-date information on how to prevent XSS attacks in all the possible ways they could happen.
By default React DOM escapes all output. This means that output in JSX components will usually be safe, which is great news. This is discussed in React's documentation.
There are some cases where output may not be correctly escaped in React components. Here are some of those cases:
- Using the
dangerouslySetInnerHTMLprop (it's named this for a reason)
- Passing state from the server, JSON stringifying it without serializing it
- Using user supplied
- Incorrect usages of
This dailyjs article discusses these various problems and how to avoid them.
Angular also does a good job of escaping output by default. In general, earlier versions of Angular 1 had more security vulnerabilities, so a safe bet is to ensure the project is on the most recent version of Angular. To learn more about potential vulnerabilities, the Angular site provides detailed information.