Cross-Site Scripting (XSS) occurs when untrusted data is injected into a webpage without proper validation. It allows attackers to execute malicious scripts in users' browsers.
document.write() without validation can lead to full control over page content.🔐 Modern websites use input sanitization, escaping, and Content Security Policies (CSP) to prevent XSS.
Examples of payloads:
<script>alert('XSS')</script>" onmouseover="alert(1)<img src=x onerror=alert(1)>