Cross-Site Scripting (XSS) is a class of web vulnerabilities where attackers inject JavaScript into a web page that other users will see. The injected script runs in the victim's browser with the same origin (cookies, session tokens, DOM access) as the legitimate site. Three main categories: stored XSS (the malicious script is saved on the server, e.g. in a comment), reflected XSS (the script comes from a URL parameter and bounces back in the response), and DOM-based XSS (the vulnerability is entirely client-side, with the script never touching the server).
XSS exploits any user input that ends up rendered as HTML or executed as JavaScript without proper escaping. The fix is consistent contextual escaping: escape for HTML when inserting into HTML, escape for JavaScript when inserting into a script context, and so on. Modern frameworks (React, Vue, Svelte) escape by default for HTML contexts; XSS in modern apps usually comes from dangerouslySetInnerHTML, custom DOM manipulation, or server-rendered templates.
Defense in depth: Content Security Policy (CSP) blocks inline scripts and limits script sources, HttpOnly cookies prevent script access to session tokens, and Trusted Types (in modern browsers) reject unsafe DOM operations.
XSS is consistently in the OWASP Top 10. It allows account takeover, session hijacking, credential theft, and defacement. Sites that handle user input without rigorous escaping or CSP are one bug away from a serious incident.
The API security blog covers parallel concepts for API endpoints. The CSRF entry describes a related but distinct attack.