Overview
- Bug Type:
- XSS
- Category:
- Security
Definition
Injected script runs in a victim's browser via unsafe rendering of untrusted data.
How to fix XSS?
Apply context-appropriate output encoding; avoid dangerouslySetInnerHTML/raw HTML; set CSP; sanitize user content; disable inline event handlers
Symptoms
Observable signs that may indicate XSS:
- User-controlled content renders as HTML/JS in the page (alert boxes, DOM modifications).
- Console logs show script execution from untrusted sources.
- Reports of unexpected redirects or credential theft tokens in requests.
Example Errors:
- Refused to execute inline script due to Content Security Policy
- DOMException: Blocked a frame with origin from accessing a cross-origin frame
- Audit: Potentially insecure dynamic code evaluation