Why it matters

XSS is one of the most common web vulnerabilities. Understanding prevention is essential.

Advertisement

The architecture

Reflected XSS: user input reflected in response. e.g., search page shows query without escaping.

Stored XSS: attacker input stored, shown to other users. e.g., malicious comment.

DOM XSS: JavaScript modifies DOM insecurely.

XSS typesReflectedinput echoedStoredinput persistedDOMclient-side injectionOutput encoding + CSP + framework escaping = defense-in-depth
XSS variants.
Advertisement

How it works end to end

Output encoding: escape HTML special chars in output. Frameworks do this by default (React, Vue).

Content Security Policy (CSP): HTTP header restricting what scripts can load. Blocks inline scripts, restricts sources.

Sanitizer: for rich text input, use DOMPurify or similar to strip dangerous constructs.