[{"data":1,"prerenderedAt":117},["ShallowReactive",2],{"term-x\u002Fxss":3,"related-x\u002Fxss":99},{"id":4,"title":5,"acronym":5,"body":6,"category":78,"description":79,"difficulty":80,"extension":81,"letter":82,"meta":83,"navigation":84,"path":85,"related":86,"seo":92,"sitemap":93,"stem":96,"subcategory":97,"__hash__":98},"terms\u002Fterms\u002Fx\u002Fxss.md","XSS",{"type":7,"value":8,"toc":72},"minimark",[9,14,18,22,25,29,61,65,68],[10,11,13],"h2",{"id":12},"eli5-the-vibe-check","ELI5 — The Vibe Check",[15,16,17],"p",{},"XSS stands for Cross-Site Scripting. Hackers inject their own JavaScript into your site so when other users visit, the evil script runs in their browser. It can steal cookies, hijack sessions, or redirect users to phishing sites. The fix is always sanitize your inputs.",[10,19,21],{"id":20},"real-talk","Real Talk",[15,23,24],{},"XSS (Cross-Site Scripting) allows attackers to inject client-side scripts into web pages. There are three types: Stored (persisted in DB), Reflected (URL-based), and DOM-based. Prevention requires output encoding, Content Security Policy headers, and sanitizing user-generated content.",[10,26,28],{"id":27},"show-me-the-code","Show Me The Code",[30,31,36],"pre",{"className":32,"code":33,"language":34,"meta":35,"style":35},"language-html shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","\u003C!-- Content Security Policy header to block inline scripts -->\n\u003C!-- In HTTP response headers: -->\nContent-Security-Policy: script-src 'self' https:\u002F\u002Ftrusted.cdn.com\n","html","",[37,38,39,48,54],"code",{"__ignoreMap":35},[40,41,44],"span",{"class":42,"line":43},"line",1,[40,45,47],{"class":46},"sHwdD","\u003C!-- Content Security Policy header to block inline scripts -->\n",[40,49,51],{"class":42,"line":50},2,[40,52,53],{"class":46},"\u003C!-- In HTTP response headers: -->\n",[40,55,57],{"class":42,"line":56},3,[40,58,60],{"class":59},"sTEyZ","Content-Security-Policy: script-src 'self' https:\u002F\u002Ftrusted.cdn.com\n",[10,62,64],{"id":63},"when-youll-hear-this","When You'll Hear This",[15,66,67],{},"\"This form is XSS vulnerable.\" \u002F \"The XSS payload was injected via the URL parameter.\"",[69,70,71],"style",{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":35,"searchDepth":50,"depth":50,"links":73},[74,75,76,77],{"id":12,"depth":50,"text":13},{"id":20,"depth":50,"text":21},{"id":27,"depth":50,"text":28},{"id":63,"depth":50,"text":64},"security","XSS stands for Cross-Site Scripting. Hackers inject their own JavaScript into your site so when other users visit, the evil script runs in their browser.","intermediate","md","x",{},true,"\u002Fterms\u002Fx\u002Fxss",[87,88,89,90,91],"Cross-Site Scripting","CSRF","Content Security Policy","Sanitization","OWASP Top 10",{"title":5,"description":79},{"changefreq":94,"priority":95},"weekly",0.7,"terms\u002Fx\u002Fxss",null,"C_s17L1lT1So1rYuKloUs1xdUp_PGA1xB4eajKz6vKY",[100,104,107,110,114],{"title":89,"path":101,"acronym":102,"category":78,"difficulty":80,"description":103},"\u002Fterms\u002Fc\u002Fcontent-security-policy","CSP","Content Security Policy is an HTTP header that tells the browser exactly where it's allowed to load scripts, images, and other resources from.",{"title":87,"path":105,"acronym":5,"category":78,"difficulty":80,"description":106},"\u002Fterms\u002Fc\u002Fcross-site-scripting","XSS is when a hacker sneaks their own JavaScript into your website so it runs in other people's browsers.",{"title":88,"path":108,"acronym":88,"category":78,"difficulty":80,"description":109},"\u002Fterms\u002Fc\u002Fcsrf","CSRF (Cross-Site Request Forgery) is when a bad website hijacks your logged-in session on a good website to do things you didn't ask for.",{"title":91,"path":111,"acronym":97,"category":78,"difficulty":112,"description":113},"\u002Fterms\u002Fo\u002Fowasp-top-10","beginner","The OWASP Top 10 is the security industry's greatest hits of web vulnerabilities — the 10 most common, dangerous ways apps get hacked.",{"title":90,"path":115,"acronym":97,"category":78,"difficulty":112,"description":116},"\u002Fterms\u002Fs\u002Fsanitization","Sanitization is cleaning up user input before using it — stripping out anything dangerous like script tags or SQL commands.",1776518323531]