[seisvelas]

> I'm very unlikely to find XSS in a simple React app

I do offensive security. A lot of developers are ignorant of when/how React apps tend to be XSS vulnerable. Since it has a reputation as being 'safe' from XSS, devs often assume it's just something they don't have to worry about.

This has led to a small renaissance of XSS bug bounties on sites like hackerone, where you see a lot of specialists who just go around finding obvious, common XSS vulns in eg Angular apps.

[tptacek]

I do offensive security. My direct experience, in my audit workload of web applications, which I've had pretty steadily (with some short gaps) since 2005, is that XSS vulnerabilities are far rarer in React applications (regardless of backend) than they are in Rails apps. It's not hard to see why: Rails begs you to disable XSS protection to get anything interesting done in HTML (basically, any time you dip out of Erb or Haml), there aren't a similar number of use cases for overriding React's control of the DOM (because the whole point of React is to give you safe control of the DOM), and when you do, in React, you do it (almost all of the time) with "dangerouslySetInnerHtml" (though this holds just as true with Vue and "v-html".

It's not my argument that there's no XSS in React apps. I've definitely found React XSS. But I assume any Rails app I test will have it somewhere, and, based on experience, I do not have that assumption about React applications.

[seisvelas]

I completely agree with your overall point, I was just making an aside about the tendency of more inherently secure systems to sometimes lead to dev laziness. The same thing can happen to Rust devs, but I wouldn't argue that it isn't way more secure generally than C.