Why it matters
XSS is one of the most common web vulnerabilities. Understanding prevention is essential.
Advertisement
The architecture
Reflected XSS: user input reflected in response. e.g., search page shows query without escaping.
Stored XSS: attacker input stored, shown to other users. e.g., malicious comment.
DOM XSS: JavaScript modifies DOM insecurely.
Advertisement
How it works end to end
Output encoding: escape HTML special chars in output. Frameworks do this by default (React, Vue).
Content Security Policy (CSP): HTTP header restricting what scripts can load. Blocks inline scripts, restricts sources.
Sanitizer: for rich text input, use DOMPurify or similar to strip dangerous constructs.