Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications.

XSS enables attackers to inject client-side scripts into web pages viewed by other users.

javascript not validating w3c-47javascript not validating w3c-61

A reflected attack is typically delivered via email or a neutral web site.

The bait is an innocent-looking URL, pointing to a trusted site but containing the XSS vector.

A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.

Errors in XML documents will stop your XML applications.

The W3C XML specification states that a program should stop processing an XML document if it finds an error.

To do this, for the question "Describe your Ideal First Date", Mallory gives a short answer (to appear normal) but the text at the end of her answer is her script to steal names and emails.

If the script is enclosed inside a Contextual output encoding/escaping could be used as the primary defense mechanism to stop XSS attacks.

For privacy reasons, this site hides everybody's real name and email. The only time a member's real name and email are in the browser is when the member is signed in, and they can't see anyone else's.

Suppose that Mallory, an attacker, joins the site and wants to figure out the real names of the people she sees on the site.

A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read.