What Is Cross-Site Scripting (XSS) and How to Prevent It
XSS is the #1 most found vulnerability in web applications. Understanding it — and the two-line fix — should be mandatory for every web developer.
What XSS allows an attacker to do
Execute arbitrary JavaScript in a victim's browser — steal session cookies, redirect to phishing pages, log keystrokes, take over accounts, deface your website, or use the victim's browser to attack other sites. The impact depends only on the attacker's creativity.
Stored vs reflected XSS
Stored XSS: malicious script saved in your database (e.g., in a comment field) and served to all users who view it. Reflected XSS: malicious script delivered via a URL parameter and immediately reflected in the response. Both are critical.
Find XSS vulnerabilities on your site in 10 seconds.
UebGuard scans for XSS exposure and tells you exactly where to add output encoding.
No credit card required. Results in 10 seconds.
The fix: output encoding
Encode user-controlled data before inserting it into HTML. React and Vue do this automatically for text content rendered via JSX/template syntax. The risk appears when developers use dangerouslySetInnerHTML or v-html with user data — avoid these unless absolutely necessary.
Content Security Policy as a second layer
A strict Content-Security-Policy header prevents inline script execution and restricts script sources. Even if an attacker injects a script tag, CSP blocks its execution. It's not a substitute for output encoding — it's a safety net when encoding fails.
Find XSS vulnerabilities on your site in 10 seconds.
UebGuard scans for XSS exposure and tells you exactly where to add output encoding.
No credit card required. Results in 10 seconds.