Cross-Site Scripting (XSS)
البرمجة النصية عبر المواقع
Definition
An attack where malicious scripts are injected into web pages viewed by other users — allowing attackers to steal session tokens, redirect users, or take over accounts.
هجوم يُحقن فيه نصوص برمجية خبيثة في صفحات الويب التي يشاهدها المستخدمون الآخرون — مما يسمح للمهاجمين بسرقة رموز الجلسة أو إعادة توجيه المستخدمين أو الاستيلاء على الحسابات.
Why It Matters
Stored XSS in a social platform can compromise every user who views infected content — one payload silently harvests session tokens from thousands of users.
يمكن لـ XSS المُخزَّن في منصة اجتماعية اختراق كل مستخدم يشاهد المحتوى المُصاب. يمكن لحمولة واحدة حصد رموز الجلسة من آلاف المستخدمين.
Full Definition
Example Usage
“Stored XSS in a social platform can compromise every user who views infected content — one payload silently harvests session tokens from thousands of users.”
“يمكن لـ XSS المُخزَّن في منصة اجتماعية اختراق كل مستخدم يشاهد المحتوى المُصاب. يمكن لحمولة واحدة حصد رموز الجلسة من آلاف المستخدمين.”
AI Builder Tips
Avoid these mistakes when using Cross-Site Scripting (XSS):
Using `dangerouslySetInnerHTML` without sanitization → The name literally warns you. Sanitize first with DOMPurify: `DOMPurify.sanitize(user.bio)` before passing to dangerouslySetInnerHTML.
Relying only on input validation to prevent XSS → You must escape output too — validate on input AND escape on output are both required defenses.
Assuming React makes you immune to XSS → DOM-based XSS through `eval()`, `innerHTML`, or unescaped template literals still applies even in React apps.
Sign in to unlock guided AI explanations from AI Teacher.
Generate a Prompt
Copy this prompt and use it directly with any AI model — no setup needed.
Help me build a project using Cross-Site Scripting (XSS). Explain: 1. What is Cross-Site Scripting (XSS) and why it matters 2. The core architecture and required tools 3. Step-by-step implementation plan 4. Common mistakes to avoid: Using `dangerouslySetInnerHTML` without sanitization → The name literally warns you. Sanitize first with DOMPurify: `DOMPurify.sanitize(user.bio)` before passing to dangerouslySetInnerHTML., Relying only on input validation to prevent XSS → You must escape output too — validate on input AND escape on output are both required defenses., Assuming React makes you immune to XSS → DOM-based XSS through `eval()`, `innerHTML`, or unescaped template literals still applies even in React apps. 5. Best practices and production tips
Official Resources
No official documentation link on file for Cross-Site Scripting (XSS) yet.