As a developer, you probably have heard what XSS is and how to defend against it by escaping user input. You also probably might have heard that modern frontend frameworks like React or Angular are XSS safe (due to escaping). Still, though there are some XSS caveats worth remembering:
Imagine you have a form where the user adds an address to his page/Facebook/Instagram etc. You might have HTML code like:
<a href="https://brightinventions.pl/">User page</a>
To conclude: to defend against XSS, besides escaping user input do validate the protocol of URL. Let me know if you have any other interesting thoughts when it comes to XSS!