XSS in Bolt.new Apps
Bolt.new creates full-stack applications in the browser, but its AI prioritizes speed over security. The generated frontend code frequently renders user input unsafely, creating cross-site scripting vulnerabilities.
Scan Your Bolt AppHow It Happens
Bolt.new generates complete applications including frontend and backend code. When users request features like comment sections, profile pages, or content editors, the AI often uses innerHTML or dangerouslySetInnerHTML to render dynamic content without any sanitization. Bolt's strength is rapid prototyping, which means the AI cuts corners on security to deliver working features quickly. Components that display user-generated content, render markdown, or show previews are the most common XSS vectors. Because Bolt generates both the API and frontend, there is often no server-side output encoding either. The API returns raw user input, and the frontend renders it directly. This means the vulnerability exists at every layer of the application.
Impact
XSS in a Bolt app allows attackers to execute arbitrary JavaScript in other users' browsers. This can steal authentication tokens, capture keystrokes, or redirect users to malicious sites. Bolt apps often store sessions in localStorage (a common pattern with Supabase or Firebase Auth), which is accessible to JavaScript and therefore to XSS attacks. A single XSS vector gives the attacker full account takeover. For Bolt apps that handle sensitive data, XSS can be used to exfiltrate data by sending it to an attacker-controlled server, all invisible to the victim.
How to Detect
Search the Bolt-generated source code for dangerouslySetInnerHTML, innerHTML, and document.write. These are the most common XSS sinks in Bolt apps. Test input fields by entering basic XSS payloads like <script>alert(1)</script> or <img src=x onerror=alert(1)>. If an alert box appears or the HTML renders, the app is vulnerable. Vibe App Scanner tests both stored and reflected XSS patterns by analyzing the full application bundle and probing input vectors automatically.
How to Fix
Install DOMPurify and sanitize all dynamic HTML before rendering. Replace dangerouslySetInnerHTML with sanitized alternatives or use a safe rendering library like react-markdown. Add server-side output encoding in the Bolt-generated API. All user input should be HTML-encoded before being stored or returned to the frontend. Implement a strict Content Security Policy that blocks inline scripts and eval. This provides defense-in-depth even if a sanitization step is missed. Audit every component that displays user-generated content and ensure it uses React's default text escaping (JSX curly braces) rather than raw HTML injection.
Code Examples
Comment rendering in a Bolt app
// Bolt-generated comment display
function Comment({ text }: { text: string }) {
return (
<div
className="comment"
dangerouslySetInnerHTML={{ __html: text }}
/>
)
}import DOMPurify from 'dompurify'
function Comment({ text }: { text: string }) {
return (
<div className="comment">
{text} {/* React auto-escapes */}
</div>
)
}
// Or if HTML formatting is needed:
function RichComment({ html }: { html: string }) {
return (
<div
className="comment"
dangerouslySetInnerHTML={{
__html: DOMPurify.sanitize(html)
}}
/>
)
}Frequently Asked Questions
Are all Bolt.new apps vulnerable to XSS?
Not all, but a significant percentage. Any Bolt app that displays user-generated content has a high likelihood of XSS if the AI used dangerouslySetInnerHTML or innerHTML without sanitization.
Does Bolt.new have built-in XSS protection?
Bolt uses React, which auto-escapes JSX expressions. However, the AI frequently bypasses this protection by using dangerouslySetInnerHTML when generating components that display rich text or HTML content.
How do I fix XSS without breaking my Bolt app's formatting?
Use DOMPurify to sanitize HTML before rendering. DOMPurify strips malicious content while preserving safe HTML tags and formatting. Alternatively, use a markdown renderer like react-markdown for user content.
Related Security Resources
Is Your App Vulnerable?
VAS automatically scans for cross-site scripting (xss) and other security issues in Bolt apps. Get actionable results with step-by-step fixes.
Scans from $5, results in minutes.