[{"data":1,"prerenderedAt":230},["ShallowReactive",2],{"term-c\u002Fcross-site-scripting":3,"related-c\u002Fcross-site-scripting":209},{"id":4,"title":5,"acronym":6,"body":7,"category":188,"description":189,"difficulty":190,"extension":191,"letter":192,"meta":193,"navigation":80,"path":194,"related":195,"seo":202,"sitemap":203,"stem":206,"subcategory":207,"__hash__":208},"terms\u002Fterms\u002Fc\u002Fcross-site-scripting.md","Cross-Site Scripting","XSS",{"type":8,"value":9,"toc":182},"minimark",[10,15,19,23,26,30,171,175,178],[11,12,14],"h2",{"id":13},"eli5-the-vibe-check","ELI5 — The Vibe Check",[16,17,18],"p",{},"XSS is when a hacker sneaks their own JavaScript into your website so it runs in other people's browsers. Imagine someone graffiti-ing your restaurant's menu board to say 'give me your credit card' — but as code that runs in the customer's browser. Happens when you display user input without sanitizing it.",[11,20,22],{"id":21},"real-talk","Real Talk",[16,24,25],{},"Cross-Site Scripting (XSS) is an injection attack where malicious scripts are injected into web pages viewed by other users. Attackers exploit insufficient input sanitization to execute JavaScript in victims' browsers, enabling cookie theft, session hijacking, and credential harvesting.",[11,27,29],{"id":28},"show-me-the-code","Show Me The Code",[31,32,37],"pre",{"className":33,"code":34,"language":35,"meta":36,"style":36},"language-javascript shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","\u002F\u002F Vulnerable: renders user input as raw HTML\ndiv.innerHTML = userInput; \u002F\u002F ❌\n\n\u002F\u002F Safe: escape the content\ndiv.textContent = userInput; \u002F\u002F ✅\n\n\u002F\u002F Or with DOMPurify library:\nimport DOMPurify from 'dompurify';\ndiv.innerHTML = DOMPurify.sanitize(userInput); \u002F\u002F ✅\n","javascript","",[38,39,40,49,75,82,88,107,112,118,144],"code",{"__ignoreMap":36},[41,42,45],"span",{"class":43,"line":44},"line",1,[41,46,48],{"class":47},"sHwdD","\u002F\u002F Vulnerable: renders user input as raw HTML\n",[41,50,52,56,60,63,66,69,72],{"class":43,"line":51},2,[41,53,55],{"class":54},"sTEyZ","div",[41,57,59],{"class":58},"sMK4o",".",[41,61,62],{"class":54},"innerHTML ",[41,64,65],{"class":58},"=",[41,67,68],{"class":54}," userInput",[41,70,71],{"class":58},";",[41,73,74],{"class":47}," \u002F\u002F ❌\n",[41,76,78],{"class":43,"line":77},3,[41,79,81],{"emptyLinePlaceholder":80},true,"\n",[41,83,85],{"class":43,"line":84},4,[41,86,87],{"class":47},"\u002F\u002F Safe: escape the content\n",[41,89,91,93,95,98,100,102,104],{"class":43,"line":90},5,[41,92,55],{"class":54},[41,94,59],{"class":58},[41,96,97],{"class":54},"textContent ",[41,99,65],{"class":58},[41,101,68],{"class":54},[41,103,71],{"class":58},[41,105,106],{"class":47}," \u002F\u002F ✅\n",[41,108,110],{"class":43,"line":109},6,[41,111,81],{"emptyLinePlaceholder":80},[41,113,115],{"class":43,"line":114},7,[41,116,117],{"class":47},"\u002F\u002F Or with DOMPurify library:\n",[41,119,121,125,128,131,134,138,141],{"class":43,"line":120},8,[41,122,124],{"class":123},"s7zQu","import",[41,126,127],{"class":54}," DOMPurify ",[41,129,130],{"class":123},"from",[41,132,133],{"class":58}," '",[41,135,137],{"class":136},"sfazB","dompurify",[41,139,140],{"class":58},"'",[41,142,143],{"class":58},";\n",[41,145,147,149,151,153,155,158,160,164,167,169],{"class":43,"line":146},9,[41,148,55],{"class":54},[41,150,59],{"class":58},[41,152,62],{"class":54},[41,154,65],{"class":58},[41,156,157],{"class":54}," DOMPurify",[41,159,59],{"class":58},[41,161,163],{"class":162},"s2Zo4","sanitize",[41,165,166],{"class":54},"(userInput)",[41,168,71],{"class":58},[41,170,106],{"class":47},[11,172,174],{"id":173},"when-youll-hear-this","When You'll Hear This",[16,176,177],{},"\"The comment section was vulnerable to XSS — users could inject scripts.\" \u002F \"Always sanitize user input to prevent XSS.\"",[179,180,181],"style",{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .s7zQu, html code.shiki .s7zQu{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#89DDFF;--shiki-default-font-style:italic;--shiki-dark:#89DDFF;--shiki-dark-font-style:italic}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .s2Zo4, html code.shiki .s2Zo4{--shiki-light:#6182B8;--shiki-default:#82AAFF;--shiki-dark:#82AAFF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":36,"searchDepth":51,"depth":51,"links":183},[184,185,186,187],{"id":13,"depth":51,"text":14},{"id":21,"depth":51,"text":22},{"id":28,"depth":51,"text":29},{"id":173,"depth":51,"text":174},"security","XSS is when a hacker sneaks their own JavaScript into your website so it runs in other people's browsers.","intermediate","md","c",{},"\u002Fterms\u002Fc\u002Fcross-site-scripting",[196,197,198,199,200,201],"CSRF","SQL Injection","Sanitization","Content Security Policy","OWASP Top 10","Escape",{"title":5,"description":189},{"changefreq":204,"priority":205},"weekly",0.7,"terms\u002Fc\u002Fcross-site-scripting",null,"f8FoGXjVRPySPrI8sM3CxeJDG6UzCpQdv575pku6Cjg",[210,214,217,221,224,227],{"title":199,"path":211,"acronym":212,"category":188,"difficulty":190,"description":213},"\u002Fterms\u002Fc\u002Fcontent-security-policy","CSP","Content Security Policy is an HTTP header that tells the browser exactly where it's allowed to load scripts, images, and other resources from.",{"title":196,"path":215,"acronym":196,"category":188,"difficulty":190,"description":216},"\u002Fterms\u002Fc\u002Fcsrf","CSRF (Cross-Site Request Forgery) is when a bad website hijacks your logged-in session on a good website to do things you didn't ask for.",{"title":201,"path":218,"acronym":207,"category":188,"difficulty":219,"description":220},"\u002Fterms\u002Fe\u002Fescape","beginner","Escaping means converting special characters into their safe equivalents before putting them in HTML, SQL, or a shell command.",{"title":200,"path":222,"acronym":207,"category":188,"difficulty":219,"description":223},"\u002Fterms\u002Fo\u002Fowasp-top-10","The OWASP Top 10 is the security industry's greatest hits of web vulnerabilities — the 10 most common, dangerous ways apps get hacked.",{"title":198,"path":225,"acronym":207,"category":188,"difficulty":219,"description":226},"\u002Fterms\u002Fs\u002Fsanitization","Sanitization is cleaning up user input before using it — stripping out anything dangerous like script tags or SQL commands.",{"title":197,"path":228,"acronym":207,"category":188,"difficulty":190,"description":229},"\u002Fterms\u002Fs\u002Fsql-injection","SQL injection is when a hacker types SQL code into a text field instead of normal text, and your stupid database runs it.",1776518270940]