What is XSS Prevention?

XSS (Cross-Site Scripting) is an attack where malicious JavaScript is injected into your site and executed in victims' browsers—stealing cookies, session tokens, or performing actions as the user. Three types: Stored XSS (saved in database), Reflected XSS (in URL parameters), DOM XSS (client-side JavaScript). Prevent with input sanitization, output escaping, CSP, and secure templating.

When Should You Use This?

Prevent XSS in every app that displays user-generated content (comments, profiles, forms, Markdown, rich text). Use framework-provided escaping (React auto-escapes, but dangerouslySetInnerHTML bypasses it). Sanitize HTML with DOMPurify, use CSP to block inline scripts, validate all input. Test with XSS payloads: <script>alert(1)</script>, <img src=x onerror=alert(1)>.

Common Mistakes to Avoid

• •Using dangerouslySetInnerHTML without sanitization—React's biggest XSS risk; use DOMPurify first
• •Trusting Markdown renderers—some allow raw HTML; use safe parsers (remark, marked with sanitize option)
• •Not escaping URL parameters—reflected XSS via ?name=<script>alert(1)</script>
• •Client-side sanitization only—attackers bypass JavaScript; sanitize on the backend
• •Forgetting about DOM XSS—sanitize data before inserting into innerHTML, eval, or document.write

Real-World Examples

• •MySpace (2005)—Samy worm spread via XSS in user profiles, infected 1M users in hours
• •GitHub—prevents XSS in Markdown rendering by sanitizing HTML and using CSP
• •WordPress—sanitizes comments and post content to block XSS in themes/plugins
• •Twitter—escaped user input to prevent XSS in tweets and DMs