Glossary · Definition
XSS
XSS (Cross-Site Scripting) is a vulnerability where attacker-controlled JavaScript runs in another user's browser, in the context of your site — same domain, same cookies, same localStorage. Result: session theft, data exfiltration, or arbitrary actions taken as the user.
Definition
XSS (Cross-Site Scripting) is a vulnerability where attacker-controlled JavaScript runs in another user's browser, in the context of your site — same domain, same cookies, same localStorage. Result: session theft, data exfiltration, or arbitrary actions taken as the user.
What it means
Three flavors. **Reflected XSS**: a payload in a URL parameter is echoed into the response unescaped — `?q=<script>...</script>` runs when the link is clicked. **Stored XSS**: the payload is saved server-side (comment, profile, message) and runs for every viewer. **DOM XSS**: client-side JS reads attacker-controlled input and writes it into the DOM via innerHTML or eval — no server role needed. Modern frameworks (React, Vue, Svelte) escape by default at every interpolation point, which closes most XSS at the source. The risks come from manual escapes via dangerouslySetInnerHTML / v-html / @html, or building HTML strings outside the framework's safe pipeline.
Advertisement
Why it matters
XSS is the #1 web vulnerability that compromises actual users (vs server-side bugs that compromise infrastructure). A single XSS in a logged-in admin tool can be a full account takeover. Defenses: framework-default escaping; Content-Security-Policy (script-src) to block inline + cross-origin scripts; HttpOnly cookies so XSS can't read session tokens; input validation as defense-in-depth, never as the only defense.
Frequently asked questions
Does React prevent XSS?
Mostly. JSX interpolations (`{userInput}`) are escaped automatically. dangerouslySetInnerHTML, eval, javascript: URLs, and direct DOM manipulation bypass that — those are where React XSS lives.
Is HTML escaping enough?
For HTML body content, yes. For attribute values, you need attribute-context escaping. For URLs in href / src, you need scheme allowlisting (block javascript: + data: text/html). Different contexts need different escaping.
What's the role of CSP?
Content-Security-Policy is a browser-enforced second line of defense. Even if XSS is injected, a strict script-src (no 'unsafe-inline', no broad allowlists) prevents the attacker's script from executing.
Related terms
- DefinitionCSRFCSRF (Cross-Site Request Forgery) tricks a logged-in user's browser into making an authenticated request your server can't distinguish from a real one. The attacker doesn't need to read responses — they just need the request to fire and have side effects.
- DefinitionCORSCORS (Cross-Origin Resource Sharing) is a browser mechanism that lets a server explicitly opt in to cross-origin requests. The same-origin policy blocks fetches across origins by default; CORS headers (Access-Control-Allow-Origin, etc.) tell the browser to make exceptions.