XSS (Cross-Site Scripting)

A flaw where attacker-controlled script runs in another user's browser, letting it steal sessions or act as that user.

XSS happens when your app renders user-supplied content as HTML without escaping it. If a comment, profile name, or support message containing <script> is shown to other users unescaped, that script runs in their browser with their session. The attacker can read tokens, submit actions as the victim, or rewrite the page.

For a founder, XSS is dangerous because it turns your own users into the delivery channel and often hits your admins, who have the most access. It's a long-standing entry on the OWASP Top 10.

The fix is to escape output by context, avoid injecting raw HTML, and add a Content Security Policy as a backstop. Modern frameworks like React escape by default, so the risk usually appears where you reach for dangerouslySetInnerHTML or its equivalents.

Related terms

IDOR (Insecure Direct Object Reference)An access-control flaw where changing an ID in a request lets a user read or edit records that belong to someone else.SSRF (Server-Side Request Forgery)A flaw where an attacker tricks your server into making requests to internal systems or cloud metadata it should never reach.SQL injection (SQLi)A flaw where untrusted input is mixed into a database query, letting an attacker read, change, or destroy your data.CSRF (Cross-Site Request Forgery)An attack that tricks a logged-in user's browser into sending an unwanted state-changing request to your app.