Cross-Site Scripting (XSS)
XSSA vulnerability where attacker-controlled input runs as script in another user's browser.
Reviewed by the RadarTrek editorial team · June 2026
XSS happens when an app takes untrusted input — a comment, a username, a query parameter — and renders it as part of a page without neutralising it first, letting an attacker run their own JavaScript in another user's browser session. The fix is two-sided: validate what comes in, and encode what goes out, so input is always treated as data, never as executable markup.
Why it matters
- —A successful XSS attack runs with the victim's own session — it can steal cookies, submit forms, or impersonate them entirely.
- —Modern frameworks like React escape output by default, but raw `dangerouslySetInnerHTML` or string-built HTML reopens the hole.
- —Output encoding has to match the context — HTML, attribute, and JavaScript contexts each need different escaping rules.
Where to learn this
Cross-Site Scripting (XSS) — Input Validation and Output Encoding
Web Security for Builders course
This is the exact lesson that covers this term in depth — with examples, diagrams, and a hands-on exercise.