Cross-Site Scripting
XSS
ELI5 — The Vibe Check
XSS is when a hacker sneaks their own JavaScript into your website so it runs in other people's browsers. Imagine someone graffiti-ing your restaurant's menu board to say 'give me your credit card' — but as code that runs in the customer's browser. Happens when you display user input without sanitizing it.
Real Talk
Cross-Site Scripting (XSS) is an injection attack where malicious scripts are injected into web pages viewed by other users. Attackers exploit insufficient input sanitization to execute JavaScript in victims' browsers, enabling cookie theft, session hijacking, and credential harvesting.
Show Me The Code
// Vulnerable: renders user input as raw HTML
div.innerHTML = userInput; // ❌
// Safe: escape the content
div.textContent = userInput; // ✅
// Or with DOMPurify library:
import DOMPurify from 'dompurify';
div.innerHTML = DOMPurify.sanitize(userInput); // ✅
When You'll Hear This
"The comment section was vulnerable to XSS — users could inject scripts." / "Always sanitize user input to prevent XSS."
Related Terms
Content Security Policy (CSP)
Content Security Policy is an HTTP header that tells the browser exactly where it's allowed to load scripts, images, and other resources from.
CSRF (CSRF)
CSRF (Cross-Site Request Forgery) is when a bad website hijacks your logged-in session on a good website to do things you didn't ask for.
Escape
Escaping means converting special characters into their safe equivalents before putting them in HTML, SQL, or a shell command.
OWASP Top 10
The OWASP Top 10 is the security industry's greatest hits of web vulnerabilities — the 10 most common, dangerous ways apps get hacked.
Sanitization
Sanitization is cleaning up user input before using it — stripping out anything dangerous like script tags or SQL commands.
SQL Injection
SQL injection is when a hacker types SQL code into a text field instead of normal text, and your stupid database runs it.