XSS

XSS (Cross-Site Scripting — the X is a historical typo that stuck) is an injection attack where attacker-controlled JavaScript runs in a victim’s browser in the context of a trusted site. Three variants:

• Reflected XSS — attacker crafts a URL containing JavaScript; victim clicks; the site echoes the URL parameter back unescaped, and the script runs. Example: ?search=<script>evil()</script>.
• Stored XSS — attacker submits malicious content (a comment, a profile bio) that the site stores and later renders unescaped to other users. Worse than reflected because it auto-fires for every visitor.
• DOM-based XSS — script runs purely on the client, with the malicious content never touching the server. Often via document.write, innerHTML, or unsafe handling of URL fragments.

Defences: contextual output encoding (HTML-escape on render, JS-escape inside script blocks, URL-encode for href). Content Security Policy (CSP) headers as defence-in-depth. Template engines that auto-escape (Jinja, ERB, React JSX) eliminate most reflected and stored XSS by default.

XSS remains in the OWASP Top 10 not because the fix is hard, but because it’s easy to bypass auto-escaping with dangerouslySetInnerHTML-style escape hatches and one forgotten place ruins the whole defence.