Cross-Site Scripting allows an attacker to execute JavaScript in the victim’s browser. Session theft, phishing — XSS is the third most common vulnerability.

XSS Types¶

• Stored XSS: Script stored in the database
• Reflected XSS: Script in a URL parameter
• DOM-based XSS: JavaScript processes untrusted data

Output Encoding¶

// React — automatic escaping function Comment({ text }) { return

{text}

; // React escapes automatically } // Python Jinja2 — autoescape enabled by default in Flask env = Environment(autoescape=True)

Content Security Policy¶

Content-Security-Policy: default-src ‘self’; script-src ‘self’ ‘nonce-abc123’; style-src ‘self’ ‘unsafe-inline’; frame-ancestors ‘none’;

HTML Sanitization¶

// DOMPurify import DOMPurify from ‘dompurify’; const clean = DOMPurify.sanitize(dirty);

Python bleach¶

import bleach clean = bleach.clean(dirty, tags=[‘p’,’b’,’i’,’a’])

Key Takeaway¶

Output encoding + CSP + HttpOnly cookies = reliable protection against XSS.