Cross‑Site Scripting (XSS) is a class of injection vulnerability in which an attacker manages to insert and execute JavaScript in another user's browser, in the context of your origin. The three common variants are reflected, stored, and DOM-based XSS, all rooted in untrusted data being treated as code.
Why it matters
Once script runs in your origin it can read cookies (unless flagged HttpOnly), exfiltrate session tokens, perform actions as the victim, deface the page, or pivot to further attacks. XSS routinely sits in the OWASP Top 10 because it is widespread and high-impact: a single vulnerable input field can compromise every logged-in user who views the affected page.
How to fix
- Treat all user input as untrusted; encode on output based on context (HTML body, attribute, JS, URL, CSS).
- Prefer framework-native escaping (Vue, React, Angular) over manual string concatenation.
- Avoid dangerous sinks like
innerHTML,document.write, andevalwith untrusted data; usetextContentor sanitizers like DOMPurify. - Deploy a strict CSP with nonces or hashes to block injected inline scripts.
- Set cookies as
HttpOnly,Secure, andSameSite, and serve everything over HTTPS. - Review related risks like CSRF and SQL injection; see the OWASP XSS Prevention Cheat Sheet for current guidance.