high
Security Vulnerability

Cross-Site Scripting (XSS)

XSS allows attackers to inject malicious scripts that execute in users' browsers, stealing sessions, credentials, or performing actions as the user.

Scan for This Vulnerability

What is Cross-Site Scripting (XSS)?

Cross-Site Scripting occurs when an application includes untrusted data in web pages without proper validation or encoding. The attacker's script runs in the victim's browser with full access to cookies, session data, and the ability to modify page content or make requests as the user.

How It Happens

  • Rendering user input without encoding
  • Using innerHTML with untrusted data
  • Missing Content-Security-Policy header
  • Improper URL parameter handling

Impact

Session hijacking through cookie theft

Credential theft via fake login forms

Malware distribution

Website defacement

Keylogging and data exfiltration

How to Detect

  • Test inputs with script tags and event handlers
  • Use XSS scanning tools
  • Review code for innerHTML and dangerouslySetInnerHTML
  • Run VAS to detect XSS vulnerabilities

How to Fix

Use framework encoding

React, Vue, and Angular encode output by default.

// React - safe by default
return <div>{userInput}</div>;

// BAD - bypasses encoding
return <div dangerouslySetInnerHTML={{__html: userInput}} />;

Implement Content-Security-Policy

CSP prevents inline scripts from executing.

Content-Security-Policy: default-src 'self'; script-src 'self'

Sanitize HTML if needed

Use a library like DOMPurify for user-generated HTML.

import DOMPurify from 'dompurify';
const clean = DOMPurify.sanitize(userHTML);

Commonly Affected Platforms

Lovable SecurityBolt SecurityV0 SecurityWebflow SecurityBubble Security

Is Your App Vulnerable?

VAS automatically scans for cross-site scripting (xss) and provides detailed remediation guidance.

Run Security Scan

Related Vulnerabilities

Missing Security HeadersInsecure CookiesCsrf