NovaBlockNovaBlock
All terms

Cross-Site Scripting

Also known as: xss

A vulnerability that lets an attacker run JavaScript in another user's browser session on a trusted site.

Updated 10 February 2026

Cross-site scripting happens when a site includes user-supplied content in a page without properly escaping it, letting an attacker inject <script> tags. The injected code runs with the victim's privileges: reading cookies, making authenticated requests, exfiltrating data.

Defences layer up: output encoding, input validation, HttpOnly cookies, and Content Security Policy. XSS remains one of the most common web vulnerabilities.

Related terms