What Is XSS (Cross-Site Scripting)? Web Security Explained
Cross-Site Scripting (XSS) is a web security vulnerability where an attacker injects malicious JavaScript into a page viewed by other users. The injected script runs in the victim's browser with the same privileges as the site's own scripts — enabling cookie theft, session hijacking, keylogging, and page defacement.
Types of XSS
Reflected XSS: malicious script is in the URL and reflected immediately in the response (e.g., a search result page echoing the query unsafely). Stored (Persistent) XSS: attacker submits a script in a form (comment, profile bio), which is stored and served to all subsequent visitors. DOM-based XSS: the client-side JavaScript itself writes attacker-controlled data unsafely to the DOM without a server round-trip.
Prevention: Output Encoding and CSP
Output encoding: HTML-encode all user-supplied data before inserting it into HTML. Use context-appropriate encoding: HTML for content, JavaScript string escaping for JS contexts, URL encoding for attributes. Content Security Policy (CSP): a response header that tells the browser which script sources are trusted. script-src 'self' blocks inline scripts and scripts from external domains — even if injected.
Common Mistakes
Using innerHTML with user data instead of textContent or createElement. Trusting 'sanitised' HTML from client-side libraries without server-side validation. Reflected query parameters in JavaScript: let id = location.search.match(/id=(.+)/)[1] — if an attacker controls the URL, they control id. Disabling XSS auditors in older browsers via X-XSS-Protection: 0 without a compensating CSP.