Cross-Site Scripting (XSS) is a vulnerability where an attacker injects malicious JavaScript into a web page viewed by other users — running in their browsers to steal data, hijack sessions, or perform actions as them. It's a common, dangerous web vulnerability, preventable with proper output handling.
When user input is rendered into a page WITHOUT proper escaping, injected SCRIPTS run:
Welcome, <%= userInput %>
The injected script runs in victims' browsers as if from the trusted site — letting attackers steal session cookies/tokens, hijack accounts, capture keystrokes, or perform actions as the user.
STORED → malicious script SAVED on the server (e.g. in a comment) → served to all viewers
REFLECTED → script in a request (e.g. a URL parameter) reflected back in the response
DOM-based → client-side JS unsafely puts untrusted data into the DOM
✓ ESCAPE/ENCODE output → render user data as TEXT, not HTML (the key defense):
→ frameworks (React, Angular, Vue) auto-escape by default → use them properly
→ escape based on context (HTML, attribute, JS, URL)
✓ AVOID dangerous APIs → innerHTML, dangerouslySetInnerHTML, eval with untrusted data
✓ SANITIZE HTML if you must allow it (e.g. DOMPurify for rich text)
✓ Content Security Policy (CSP) → restricts what scripts can run (defense in depth)
✓ HttpOnly cookies → JS can't read them (limits cookie theft via XSS)
Understanding XSS and how to prevent it is essential because it's a common, dangerous web vulnerability that lets attackers run malicious scripts in users' browsers, so it's must-know security knowledge for web developers.
Understanding how it works — that rendering user input into a page without proper escaping lets injected JavaScript run in other users' browsers in the trusted site's context, enabling attackers to steal session cookies and tokens, hijack accounts, and act as the user — is necessary to recognize and prevent the vulnerability.
XSS is dangerous because it compromises users' sessions and data, and it's common in web apps that display user-generated content.
Understanding the types (stored XSS — malicious scripts saved on the server and served to all viewers, the most dangerous; reflected XSS — scripts reflected from a request; DOM-based XSS — client-side unsafe DOM manipulation) helps recognize the different attack vectors.
Understanding the prevention is essential: escaping/encoding output (rendering user data as text, not HTML — the key defense, which modern frameworks like React do automatically by default when used properly), avoiding dangerous APIs (innerHTML, dangerouslySetInnerHTML, eval with untrusted data — common XSS sources), sanitizing HTML when rich content must be allowed (e.g. DOMPurify), Content Security Policy (restricting script execution as defense-in-depth), and HttpOnly cookies (preventing JS from reading them).
Understanding that frameworks auto-escape (so using them properly prevents most XSS, while bypassing their escaping reintroduces it) is practically important.
Since XSS is a common, dangerous vulnerability compromising users' sessions and data, especially in apps displaying user content, and since understanding how it works and how to prevent it (output escaping, avoiding dangerous APIs, CSP, framework defaults) is essential for web developers, understanding XSS and its prevention is essential, must-know security knowledge — a fundamental web vulnerability to defend against, where proper output handling (escaping, using framework defaults, avoiding dangerous APIs) is critical knowledge for protecting users from a widespread class of attacks.