{
    "slug": "xss",
    "term": "Cross-Site Scripting (XSS)",
    "category": "security",
    "difficulty": "intermediate",
    "short": "User-supplied content rendered in the browser without escaping, allowing script injection into other users' sessions.",
    "long": "XSS lets attackers inject JavaScript into pages viewed by other users. Reflected XSS triggers via a crafted URL; stored XSS persists in the database and fires for every visitor. Consequences include session hijacking, credential theft, keylogging, and full account takeover. Prevention requires context-aware output encoding — in PHP, htmlspecialchars() with ENT_QUOTES for HTML contexts, and different escaping for JS, CSS, and URL contexts.",
    "aliases": [
        "Cross-Site Scripting",
        "cross site scripting",
        "XSS attack",
        "script injection"
    ],
    "tags": [
        "owasp-top10",
        "injection",
        "browser",
        "cwe-79"
    ],
    "misconception": "Stripping HTML tags prevents XSS. Attackers use encoded payloads, CSS, SVG, and event attributes that survive tag stripping — the only reliable fix is context-aware output encoding (HTML, JS, CSS, URL contexts each need different escaping).",
    "why_it_matters": "XSS lets attackers run arbitrary JavaScript in victims' browsers — stealing session cookies, redirecting users, or logging keystrokes. It is the most common web vulnerability and entirely preventable with output encoding.",
    "common_mistakes": [
        "Encoding input on the way in rather than on output — context determines the correct encoding, not the storage layer.",
        "Forgetting that HTML encoding is wrong inside JavaScript contexts — you need JS encoding there.",
        "Trusting htmlspecialchars() without ENT_QUOTES — single quotes in attributes remain dangerous.",
        "Marking user content as safe in templating engines (e.g. {!! $var !!} in Blade) without explicit sanitisation."
    ],
    "when_to_use": [
        "Understanding XSS is essential for any developer rendering user-supplied content in a browser.",
        "Apply output encoding whenever displaying data from any untrusted source — database, API, user input."
    ],
    "avoid_when": [
        "Do not rely on input sanitisation alone — stripping tags on input does not prevent XSS on output.",
        "Do not use htmlspecialchars() for JavaScript, URL, or CSS contexts — each context requires its own escaping function."
    ],
    "related": [
        "htmlspecialchars",
        "content_security_policy"
    ],
    "prerequisites": [
        "htmlspecialchars",
        "content_security_policy",
        "input_validation"
    ],
    "refs": [
        "https://owasp.org/www-community/attacks/xss/",
        "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html",
        "https://cwe.mitre.org/data/definitions/79.html"
    ],
    "bad_code": "// Reflected XSS — user input echoed directly\necho '<p>Hello, ' . $_GET['name'] . '</p>';",
    "good_code": "// Always escape output for the correct context\necho '<p>Hello, ' . htmlspecialchars($_GET['name'] ?? '', ENT_QUOTES, 'UTF-8') . '</p>';\n\n// For JS context, json_encode is the correct escaper:\n$data = json_encode($userInput, JSON_HEX_TAG | JSON_HEX_AMP);",
    "quick_fix": "Wrap all user output in htmlspecialchars($val, ENT_QUOTES, 'UTF-8') and add Content-Security-Policy header",
    "severity": "high",
    "effort": "low",
    "created": "2026-03-13",
    "updated": "2026-03-31",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/xss",
        "html_url": "https://codeclaritylab.com/glossary/xss",
        "json_url": "https://codeclaritylab.com/glossary/xss.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Cross-Site Scripting (XSS)](https://codeclaritylab.com/glossary/xss) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/xss"
            }
        }
    }
}