What it is
Cross site scripting is when an attacker injects script that the browser runs in the context of your origin. Because the code runs with your site privileges, it can read cookies, tokens, and the DOM.
The three types
- Reflected: the malicious input is echoed straight back in the response, usually from a query parameter. A crafted link triggers it.
- Stored: the payload is saved on the server, such as a comment or profile field, and runs for every visitor who views it.
- DOM based: no server round trip is needed. Client JavaScript reads attacker controlled data like the URL fragment and writes it into the page.
Why it happens
The root cause is mixing untrusted data with markup or code. Writing user input into innerHTML, document write, or an inline event handler lets text become live HTML.
Defenses
- Encode on output for the exact context such as HTML body, attribute, or URL.
- Prefer textContent over innerHTML.
- Add a strong Content Security Policy as a second layer.
Key idea
XSS is untrusted data becoming executable code; encode for the output context and avoid raw innerHTML.