Cross-Site Scripting

Learn about cross-site scripting, server-side rendering, automated scanning tools, and some ways to protect privileged data.

What is XSS?

Cross-site scripting (XSS) happens when a service renders a user’s input directly into HTML without applying input escaping. It’s related to injection attacks. Both take advantage of the fact that we represent structured data as sequences of ordinary characters by providing premature delimiters and unwanted commands. For example, suppose we have a service that echoes back the user’s “search” parameter in the results page. It has some server-side rendering code like this:

Get hands-on with 1400+ tech skills courses.