⌘K
We use cookies to improve your experience
We use essential cookies to make our site work. With your consent, we may also use non-essential cookies to improve user experience.
Definition
XSS (Cross-Site Scripting) is a security vulnerability where an attacker injects malicious JavaScript into a web page viewed by other users. The injected script runs in the victim's browser with the page's full permissions, enabling cookie theft, session hijacking, and UI manipulation.
Stored XSS occurs when malicious input is saved to the server (e.g., a comment containing a script tag) and served to every user who views that page. Reflected XSS happens when user input from a URL parameter or form is immediately echoed back in the page without sanitization — the attacker tricks the victim into clicking a crafted link. DOM-based XSS occurs entirely in the browser when client-side JavaScript inserts untrusted data into the DOM without escaping.
An XSS attack runs JavaScript in the context of the vulnerable website, with access to that site's cookies, localStorage, and DOM. This means the attacker can steal session cookies (taking over the user's account), capture keystrokes (logging passwords), modify the page content (displaying a fake login form), or make API requests as the user. XSS is consistently ranked in the OWASP Top 10 web security risks and remains one of the most common vulnerabilities found in web applications.
The primary defense is output encoding: always escape user-generated content before inserting it into HTML, JavaScript, CSS, or URLs. Modern frameworks (React, Vue, Angular) auto-escape by default — React's JSX escapes all expressions, preventing most XSS. Additional defenses include Content Security Policy (CSP) headers that restrict which scripts can execute, HttpOnly cookies that prevent JavaScript access to session tokens, and input validation that rejects clearly malicious patterns. Never use innerHTML or dangerouslySetInnerHTML with untrusted data.