Cyber Doc logo Cyber Doc
Cybersecurity Term

What is cross-site scripting?

A web weakness that allows unwanted script to run in another user’s browser.

Web & Application Security Last reviewed: 2026-05-20

← Back to Learn Centre

What is cross-site scripting?

Cross-site scripting, or XSS, is a web weakness where an attacker can make a site run unwanted script in a visitor’s browser.

Simple example

A comment field displays user input without proper handling, allowing malicious script to appear on the page.

Why it matters

XSS can be used to steal session information, mislead users, or perform actions in someone else’s browser.

Common warning signs

  • The activity is unexpected or unusual for the business context.
  • The request or system behaviour creates pressure to act quickly.
  • Normal approval, verification, or security processes are bypassed.
  • There are signs of unauthorised access, data exposure, or system change.
  • Staff are unsure whether the request, message, or system behaviour is legitimate.

Cyber Doc view

This term should be understood in business context, not only as a technical issue. Good protection usually combines clear processes, appropriate technical controls, staff awareness, and a calm response plan.

What to do

Proactive steps

  • Encode output before displaying user input.
  • Use secure frameworks and templating.
  • Apply a Content Security Policy.
  • Validate input and restrict risky HTML.
  • Test web forms and user-generated content.

Reactive steps

  • Remove the malicious content or affected page.
  • Preserve logs and examples of the payload.
  • Patch the output handling issue.
  • Review whether sessions or accounts were affected.
  • Reset sessions or tokens if needed.

Related terms

  • Content Security Policy
  • Input validation
  • Session hijacking