Cross-Site Scripting (XSS)

البرمجة النصية عبر المواقع

IntermediateSecurity1 min read
cross-site-scriptingxssscript-injection

Definition

An attack where malicious scripts are injected into web pages viewed by other users — allowing attackers to steal session tokens, redirect users, or take over accounts.

هجوم يُحقن فيه نصوص برمجية خبيثة في صفحات الويب التي يشاهدها المستخدمون الآخرون — مما يسمح للمهاجمين بسرقة رموز الجلسة أو إعادة توجيه المستخدمين أو الاستيلاء على الحسابات.

Why It Matters

Stored XSS in a social platform can compromise every user who views infected content — one payload silently harvests session tokens from thousands of users.

يمكن لـ XSS المُخزَّن في منصة اجتماعية اختراق كل مستخدم يشاهد المحتوى المُصاب. يمكن لحمولة واحدة حصد رموز الجلسة من آلاف المستخدمين.

Full Definition

XSS occurs when user-supplied content is rendered as HTML/JavaScript without escaping. Three types: Reflected XSS (payload in URL), Stored XSS (payload saved to DB, executed for every visitor — most dangerous), and DOM-based XSS. A successful XSS attack can steal cookies/session tokens, make authenticated requests on behalf of the victim, redirect to phishing sites, or install keyloggers. React/Next.js escape JSX output by default — the main risk is `dangerouslySetInnerHTML` with unescaped user content.
يحدث XSS عند عرض محتوى مُقدَّم من المستخدم كـ HTML/JavaScript دون هروب. هناك ثلاثة أنواع: المنعكس والمُخزَّن (الأخطر) والمُستنِد إلى DOM. React وNext.js يُخرجان مخرجات JSX مُعالَجة بشكل افتراضي — الخطر الرئيسي هو dangerouslySetInnerHTML مع محتوى غير مُعالَج.

Example Usage

Stored XSS in a social platform can compromise every user who views infected content — one payload silently harvests session tokens from thousands of users.

يمكن لـ XSS المُخزَّن في منصة اجتماعية اختراق كل مستخدم يشاهد المحتوى المُصاب. يمكن لحمولة واحدة حصد رموز الجلسة من آلاف المستخدمين.

Knowledge Graph

Avoid these mistakes when using Cross-Site Scripting (XSS):

1

Using `dangerouslySetInnerHTML` without sanitization → The name literally warns you. Sanitize first with DOMPurify: `DOMPurify.sanitize(user.bio)` before passing to dangerouslySetInnerHTML.

2

Relying only on input validation to prevent XSS → You must escape output too — validate on input AND escape on output are both required defenses.

3

Assuming React makes you immune to XSS → DOM-based XSS through `eval()`, `innerHTML`, or unescaped template literals still applies even in React apps.

Sign in to unlock guided AI explanations from AI Teacher.

Generate a Prompt

Copy this prompt and use it directly with any AI model — no setup needed.

Ready-to-Use Prompt
Help me build a project using Cross-Site Scripting (XSS).

Explain:
1. What is Cross-Site Scripting (XSS) and why it matters
2. The core architecture and required tools
3. Step-by-step implementation plan
4. Common mistakes to avoid: Using `dangerouslySetInnerHTML` without sanitization → The name literally warns you. Sanitize first with DOMPurify: `DOMPurify.sanitize(user.bio)` before passing to dangerouslySetInnerHTML., Relying only on input validation to prevent XSS → You must escape output too — validate on input AND escape on output are both required defenses., Assuming React makes you immune to XSS → DOM-based XSS through `eval()`, `innerHTML`, or unescaped template literals still applies even in React apps.
5. Best practices and production tips

Official Resources

No official documentation link on file for Cross-Site Scripting (XSS) yet.