RadarTrek
Home/Glossary/Cross-Site Scripting (XSS)
Security

Cross-Site Scripting (XSS)

XSS

A vulnerability where attacker-controlled input runs as script in another user's browser.

Reviewed by the RadarTrek editorial team · June 2026

XSS happens when an app takes untrusted input — a comment, a username, a query parameter — and renders it as part of a page without neutralising it first, letting an attacker run their own JavaScript in another user's browser session. The fix is two-sided: validate what comes in, and encode what goes out, so input is always treated as data, never as executable markup.

Why it matters

  • A successful XSS attack runs with the victim's own session — it can steal cookies, submit forms, or impersonate them entirely.
  • Modern frameworks like React escape output by default, but raw `dangerouslySetInnerHTML` or string-built HTML reopens the hole.
  • Output encoding has to match the context — HTML, attribute, and JavaScript contexts each need different escaping rules.

Where to learn this

🎓

Cross-Site Scripting (XSS) — Input Validation and Output Encoding

Web Security for Builders course

This is the exact lesson that covers this term in depth — with examples, diagrams, and a hands-on exercise.

Related terms

RadarTrek Intel — monthly score updates

We track 40+ tools so you don't have to. Score changes, new tools, and new guides — once a month, no spam.