Security
Seaside tries to be more secure by default than other web frameworks.
Protection against XSS
All output generated by Seaside is HTML entity encoded by default. Unless you send #html:
to a render canvas you should be safe against XSS.
Read more about XSS at OWASP.
Protection against CSRF
Seaside automatically generats a unique id that is tied to the session for each action. This id acts like a token.
Read more about CSRF at OWASP.
Whitelist Input Validation
Seaside does automatic input validation for dropdowns, multiselect lists, option groups and radio buttons.
No Command Execution
Seaside does not run any interpreter that executes any input from the web. However if you run a command interpreter in addition to Seaside (SQL, XPath, ...) then Seaside can not protect you angainst command execution in those.