Cross-Site Scripting(XSS)
An attack where malicious script is injected into a trusted website and runs in other users' browsers.
In detail
Cross-Site Scripting (XSS) is the class of attack where attacker-controlled content (a comment, a profile field, a URL parameter) ends up rendered as executable script in another user's browser. The script then runs in the trusted site's context and can steal session cookies, modify the page, or perform requests as the victim. Defences include strict output encoding, content sanitisation libraries (like DOMPurify), modern frameworks that escape by default, and a Content Security Policy that limits what scripts can run.
Why it matters for Australian business
XSS is the #1 finding we see in vibe-coded Australian apps that render markdown or HTML from user input. AI code generators frequently use dangerouslySetInnerHTML or its equivalents without a sanitiser. The fix is small (run output through DOMPurify) but the consequence of skipping it is severe: stored XSS lets one malicious user compromise every other user.