XSS stands for Cross-site scripting, and it's a security vulnerability. It's when an attacker can inject certain code into a vulnerable website, which could decieve or take over an account of a victim.
Let's say I have an input field on my website, where anybody can leave a comment. This comment will, for simplicity, replace the previous comment.
<div>
Hah! This is such a cool site!
</div>
<form action="/" method="post">
<input type="text" placeholder="Your comment here..." name="comment" />
</form>
Now let's say I use PHP, then I might have this code:
<div>
<?php
/* Database querying goes here */
/* Now we store the comment we retrieved from our database in $comment
echo $comment
?>
</div>
<form action="/" method="post">
<input type="text" placeholder="Your comment here..." name="comment" />
</form>
Assuming we aren't vulnerable to SQL injection, this looks safe, right? Wrong.
Let's imagine I enter a comment like
Wow, this is amazing! <script>alert()</script>
Then the resuling page would look like
<div>
Wow, this is amazing! <script>alert()</script>
</div>
<form action="/" method="post">
<input type="text" placeholder="Your comment here..." name="comment" />
</form>
And an alert box would appear. This is dangerous, because imagine what script we could've put.
We could've sent a user's cookies to our own, attacking, site. That would then be able to tack over an account. Or, if we can't be bothered to do that, the script cuoold delete somebody's account, perform actions as if they are the user, etc., and the user might not even know.
The way to properly let users type comments which include special characters is to encode them.
If the attacker types <, you should replace it with < (which will render as < but it won't behave like an HTML opening tag character).
| Special Character | HTML encoded |
|---|---|
| < | < |
| > | > |
| " | " |
| ' | ' |
| & | & |
Note that you don't have to escape all of the above characters (though nobody's going to stop you if you do...). Escaping the & is useful so that somebody trying to leave a comment with code isn't surprised when thei & is replaced with just an & sign, for example. If you are in an attribute, it's very important to escape the closing quote/apostraphe character that corresponds with the one you used to open it. Just be careful, and make sure an attacker couldn't use any of the characters above that you didn't escape to break out of whatever you are doing and cause harm.
What I showed just now was Stored XSS, that's when the server remembers the attacker's XSS payload (the code they used).
However, sometimes your site might try and spit back some or part of a URL, (maybe through a $_GET[...]), and this type of attack is called reflected.
Modern browsers will examine the URL, and if the page contains any code that was found in such a URL, it will not be run -- sometimes blocking the entire page from loading. You should decide what you'd like to do in these situations by setting an X-Frame-Options response header.
However, don't count on XSS filters from the browser. These can sometimes be bypassed, and if you have a bad word filter on your server, which modifies the URL before displaying it, then that might trick the browser into thinking it's not a Reflected XSS.
Another type of XSS is DOM-based XSS, and that's when some JavaScript on your page will place an attacker's payload after the page has finished loading.
Hope this explanation helps!