Cross-site scripting (XSS) is a type of security vulnerability commonly found in web applications. It allows attackers to inject malicious scripts—usually JavaScript—into web pages that other users view. When unsuspecting users load the affected page, the malicious script runs in their browser, potentially stealing cookies, session tokens, or other sensitive data, or even performing actions on behalf of the user.
How XSS Works (in simple terms):
Imagine a website that displays user comments. If the site doesn’t properly check or clean up (sanitize) what users submit, an attacker could post a comment like this:
When someone else views the page, the script runs in their browser, grabbing their cookie and sending it to the attacker.
Types of XSS:
- Stored XSS: The malicious script gets permanently stored on the target site.
- Reflected XSS: The script is reflected off the web server (e.g., via a search result or error message).
- DOM-based XSS: The vulnerability exists in client-side code, where user input is handled insecurely by JavaScript.
How to Prevent XSS:
1. Escape Output
- Always escape user-generated content before displaying it in HTML, JavaScript, or CSS. Many frameworks have built-in functions:
- PHP:
htmlspecialchars($string, ENT_QUOTES, 'UTF-8') - JavaScript (React, Angular, Vue): Output is escaped by default when using templating.
- PHP:
2. Validate and Sanitize Input
- Accept only the expected type, length, and format of data.
- Remove or neutralize unwanted code or characters.
3. Use Content Security Policy (CSP)
- Add a CSP header to your site to restrict where scripts can be loaded from:
http
Content-Security-Policy: default-src 'self' - This helps prevent attackers from executing unauthorized scripts, even if they manage to inject them.
4. Avoid Dangerous APIs
- Never use
eval()orinnerHTMLto process user input in JavaScript, as these can execute injected scripts.
5. Framework Security
- Use modern web frameworks that handle encoding/escaping automatically.
- Don’t turn off built-in XSS protections.
6. HTTPOnly Cookies
- Set session cookies as
HttpOnlyso they can’t be accessed via JavaScript.
Quick Summary Table
| Prevention Technique | What It Does |
|---|---|
| Escape Output | Neutralizes HTML/script tags |
| Validate/Sanitize Input | Blocks or cleans bad inputs |
| Content Security Policy | Restricts script sources |
| Avoid Dangerous APIs | Prevents risky code execution |
| Framework Security | Leverages built-in protections |
| HTTPOnly Cookies | Blocks JS from reading cookies |
Bottom line:
Always treat user input as untrusted. Escape it, sanitize it, and use security headers like CSP. A layered approach is the best way to defend your website and your users from XSS attacks.
