What is Cross-Site Scripting (XSS)?

Cross-Site Scripting (XSS) is an attack where malicious scripts are injected into web pages viewed by other users. Types: Stored XSS: the malicious script is permanently stored on the server (e.g., in a comment field) and served to every visitor. Reflected XSS: the script is embedded in a URL/request and reflected back in the response — the victim must click a malicious link. DOM-based XSS: the attack occurs entirely in the browser's DOM without hitting the server. XSS allows attackers to steal cookies/session tokens, redirect users, deface pages, and perform actions as the victim. Prevention: (1) Output encoding/escaping (HTML encode all user input before displaying). (2) Content Security Policy (CSP) headers. (3) Use frameworks that auto-escape (React, Angular). (4) HttpOnly cookies (prevents JS cookie theft). (5) Input validation.