Home / Threats / Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)

Input Fields Resistant to XSS Attacks

XSS attacks inject JavaScript that reads form values. SmartField returns encrypted payloads from .value. Even successful XSS attacks capture only AES-256-GCM encrypted data, useless without the server's RSA private key.

The Attack

When cross-site scripting (xss) targets a standard HTML input, the attacker can read the plaintext value directly from the DOM:

// Cross-Site Scripting (XSS) attack: document.querySelector('input').value // "SensitiveData123" ← stolen

The Protection

With SmartField, the same attack returns encrypted data:

// Same attack against SmartField: document.querySelector('smart-field').value // "eyJ2IjoxLCJpdiI6..." ← AES-256-GCM encrypted

The attacker gets 600+ characters of encrypted gibberish. Useless without the server's RSA-2048 private key.

13 Security Layers

SmartField does not rely on any single defense. It combines 13 independent security layers:

Implementation

<!-- 2 lines. That's it. --> <script src="https://cdn.smartfield.dev/v1/smartfield.js"></script> <smart-field type="password" encrypt-key="/api/sf-key"></smart-field>

Frequently Asked Questions

How does SmartField protect against cross-site scripting (xss)?+
XSS attacks inject JavaScript that reads form values. SmartField returns encrypted payloads from .value. Even successful XSS attacks capture only AES-256-GCM encrypted data, useless without the server's RSA private key.
Does this require changes to my server?+
Minimal. Install our server SDK (Node.js, Python, Java, Go, PHP, or Ruby). Call sf.decrypt() on the encrypted payload. Your existing authentication and business logic stays the same.
Does it work with React, Vue, and Angular?+
Yes. SmartField is a standard Web Component. It works with any framework or no framework at all.

Related Pages

Keylogger Protection for Web Forms Session Replay Safe Input Fields Browser Extension Safe Input Fields
Try Live Demo