← Lessons

quiz vs the machine

Silver1050

Security

Cross Site Scripting XSS

How untrusted data becomes executable script in the browser, and how to stop it.

4 min read · intro · beat Silver to climb

What XSS Is

Cross Site Scripting happens when an application places untrusted data into a web page without proper encoding, letting an attacker run script in the victim's browser. That script runs with the victim's privileges and can steal session cookies, read the page, or make requests on the user's behalf.

Common Flavors

  • Stored XSS persists the payload on the server, such as a malicious comment served to every viewer.
  • Reflected XSS bounces the payload off a request, often via a crafted link.
  • DOM based XSS occurs entirely in client side JavaScript that writes untrusted input into the page.

Defenses

  • Output encoding is the primary fix: encode data for the exact context, whether HTML body, attribute, or JavaScript.
  • Use safe sinks like textContent instead of innerHTML.
  • Add a Content Security Policy to limit which scripts may run.
  • Validate input as defense in depth, but never rely on it alone.

Key idea

XSS is fundamentally an output encoding problem, so encode untrusted data for its rendering context and reinforce with a strict Content Security Policy.

Check yourself

Answer to earn rating on the learn ladder.

1. What is the primary defense against XSS?

2. Which XSS type lives entirely in client side JavaScript?