There have been image library exploits where uploading image to site that processes it gives access. The only solution was to update the library.
Or how about Heartbleed where the OpenSSL library had bug. OpenSSL is on the external web server and the attack could compromise server public keys. Perfect for impersonating the server. The solution was to update the OpenSSL library.
There have been browser zero days. Hacker News sanitizes input so user can’t compromise anything. But Hacker News could do an attack.
Consider a fairly normal web site that will send an e-mail from a customer form to the owner, with customer orders. That form is not connected to any private information or any money, at most you will get a spam order if the form is "hacked". Big deal.
Or how about Heartbleed where the OpenSSL library had bug. OpenSSL is on the external web server and the attack could compromise server public keys. Perfect for impersonating the server. The solution was to update the OpenSSL library.
There have been browser zero days. Hacker News sanitizes input so user can’t compromise anything. But Hacker News could do an attack.