# Cross-Site Scripting (XSS) ## Overview Cross-site scripting (XSS) is a vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. Cross-site scripting works by manipulating a vulnerable website so that it returns malicious JavaScript to users. When malicious code executes inside a victim's browser, an attacker can fully compromise their interaction with the application. You can find more details at [PortSwigger Web Security Academy: Cross-site scripting](https://portswigger.net/web-security/cross-site-scripting). This page contains recommendations for the implementation of protection against Cross-Site Scripting (XSS) attacks. ## General

* Make sure all variables go through input validation and are then escaped or sanitized. * Implement input validation, see the [Input Validation](https://0xn3va.gitbook.io/application-security-handbook/web-application/input-validation) page. * Implement output encoding, see the [Output Encoding](https://0xn3va.gitbook.io/application-security-handbook/web-application/output-encoding) page. * Implement HTML sanitization, see [DOMPurify](https://github.com/cure53/DOMPurify). * Comply with requirements from the [Cookie Security](https://0xn3va.gitbook.io/application-security-handbook/web-application/cookie-security) page. * Enforce strict Content Security Policy, see the [Content Security Policy (CSP)](https://0xn3va.gitbook.io/application-security-handbook/web-application/content-security-policy-csp) page.

* Use stable versions of modern JavaScript frameworks such as Angular, Vue or React and their protection mechanisms. ## References * [OWASP Cheat Sheet Series: Cross Site Scripting Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)