Cross-site scripting (XSS)
Cross-Site Scripting
What is cross-site scripting?
Cross-site scripting (XSS) is a vulnerability that lets an attacker execute their own JavaScript in another user’s browser, in the security context of a site the victim trusts. It happens when an application takes input (a comment, a search term, a profile field, a URL parameter) and inserts it into a page without encoding it, so the browser interprets it as markup and script rather than as text. Once attacker script runs in the victim’s session it can steal tokens, act as the user, log keystrokes, or rewrite the page. XSS comes in three flavors: stored (the payload is saved and served to every viewer), reflected (the payload rides in on a request and bounces back), and DOM-based (client-side JavaScript itself inserts the input unsafely).
How it shows up in real code
The vulnerable pattern is unescaped output:
resultsDiv.innerHTML = "Results for " + params.get("q");A query value of <img src=x onerror=stealCookies()> executes on render. Framework escape hatches are the modern hotspot: React’s dangerouslySetInnerHTML, Vue’s v-html, and template filters like | safe all exist precisely to bypass the default protection, and audits routinely find them fed with user data.
The fix
The core defense is context-aware output encoding: render untrusted data as text, not markup (textContent instead of innerHTML, and framework defaults instead of their escape hatches). Where users legitimately submit rich content, sanitize it with a maintained library such as DOMPurify rather than homemade regexes. A Content Security Policy and HttpOnly cookies are valuable second layers that limit what a successful payload can do.
Why it matters in a code audit
XSS is a completeness problem: one forgotten output among thousands is enough, so auditors inventory every place user data meets HTML and check each escape-hatch usage individually. Stored XSS in a shared surface (comments, dashboards, admin views) is treated as critical because it turns one attacker input into code running for every viewer, including administrators. XSS also compounds neighboring flaws: it is a standard way to defeat the token defense against CSRF, and it shares the “untrusted input, trusted context” root cause with SQL injection. More context is in the top vulnerabilities code audits catch.
A free code audit maps where your user input reaches the page and flags the unsafe paths.
Free · no strings shown later
Get your free code audit
A repo URL and two minutes of your time. A Webisoft engineer sends back written findings (security, tech debt, performance) with file-and-line specifics.
Request my free audit