Web Security - Cross-site scripting (XSS)


cross-site scripting (XSS) is a injection security vulnerability that happens when external javascript code is injected in the page via user input.

Injected JavaScript can then steal authentication tokens from local data such as cookies and local storage.

This is similar to SQL injection attacks

Web browsers, for security and privacy reasons, prevent documents in different domains from affecting each other; that is, cross-site scripting is disallowed.


  • the user input should be validated or escaped.
  • Restricting the media type when hosting untrusted content (such as user-generated content)

For example, serving user-generated content as image/png is less risky than serving user-generated content as text/html (HTML may include code via the script element). The applications risk leaking their origin's authority to the untrusted content.


Suppose a page looked at its URL's query string to determine what to display, and the site then redirected the user to that page to display a message, as in:

 <li><a href="message.cgi?say=Hello">Say Hello</a>
 <li><a href="message.cgi?say=Welcome">Say Welcome</a>
 <li><a href="message.cgi?say=Kittens">Say Kittens</a>

If the message was just displayed to the user without escaping, a hostile attacker could then craft a URL that contained a script element:


If the attacker then convinced a victim user to visit this page, a script of the attacker's choosing would run on the page. Such a script could do any number of hostile actions, limited only by what the site offers: if the site is an e-commerce shop, for instance, such a script could cause the user to unknowingly make arbitrarily many unwanted purchases.

This is called a cross-site scripting attack.

Documentation / Reference

Discover More
HTML - (Cross-document|Web) Messaging

Two mechanisms for communicating between browsing contexts in HTML documents. A messaging system that allows documents to communicate with each other regardless of their source domain, in a way designed...
HTML - Escape / Sanitizer

HTML A sanitizer is a program that will: not accept all HTML elements and or transform them as text (escape) This is to avoid script injection and should be used on the server side (ie not client)...
HTML - Not validating user input (malign script execution)

For a secure application, when accepting untrusted input, e.g. user-generated content such as: text comments, values in URL parameters, messages from third-party sites, etc, it is imperative...
HTTP - Content security policy (CSP)

CSP is a security response header that defines the behaviors that are trusted in your HTML page. In particular, it may restrict by defining the allowed host and origin of fetched resources. CSP can...
Prosemirror Dom
How Rich Text editor in HTML are made (Principles and Demo)

How do you create a Rich Text editor in HTML, what are the well-known text editor and what are the principals. This article includes also a basic example where you can extend from to build your own
Saw Object
OBIPS - Allow HTML markup

HTML How to resolve this error: The HardenXSS element secures Oracle BI Presentation Services against cross-site scripting (XSS). Securing against XSS prohibits HTML input in fields in Oracle...
Testing Infrastructure
Software Quality - Tools

Security: Sql injection and Cross-site Scripting - Test Reporting (Manual and Automatic with Integration) Java:...
Web - Security

in a Web app Email Dmarc Cross-site Scripting ... s-rah/onionscanonionscan Burp Suite (Java based) Burp Suite Community Documentation...
What are the elements of security in HTTP? Security headers and cookie properties explained

In HTTP, the security is done via the setting of: response header known as security header that drives the execution of the browser page load cookies properties mostly samesite that control if the...

Share this page:
Follow us:
Task Runner