Cross-site scripting (XSS) explained with real examples

Cross-site scripting (XSS) is when an attacker gets your website to execute their JavaScript in someone else's browser. It's one of the oldest web vulnerabilities, and it's still everywhere.

Stored XSS

Someone submits a comment to your blog that contains a script tag that steals cookies. You store it in your database without sanitizing. Every time anyone views that comment, the script runs in their browser and sends their session cookie to the attacker. The attacker can then impersonate that user.

Reflected XSS

Your app takes a search query from the URL and echoes it back into the page: "No results for [query]." An attacker crafts a URL with script tags in the query parameter and tricks someone into clicking it. The script executes in the victim's browser.

DOM-based XSS

Your JavaScript reads from location.hash or document.referrer and writes it into the DOM via innerHTML. No server involved — entirely in the browser.

The fix

Don't use innerHTML to insert user-controlled data. Use textContent instead. Escape HTML entities before rendering any user input in the page. If you're using React, JSX handles this by default — unless you're using dangerouslySetInnerHTML.

Set a Content Security Policy header that restricts which scripts can run on your page. This won't prevent all XSS but it limits the damage.