{"id":7886,"date":"2010-11-19T06:34:18","date_gmt":"2010-11-19T13:34:18","guid":{"rendered":"http:\/\/css-tricks.com\/?p=7886"},"modified":"2010-11-19T06:34:18","modified_gmt":"2010-11-19T13:34:18","slug":"what-is-xss","status":"publish","type":"post","link":"https:\/\/css-tricks.com\/what-is-xss\/","title":{"rendered":"What is Cross Site Scripting or XSS?"},"content":{"rendered":"

I think the name “cross site” is confusing. It’s easy to hear that and think it involves code on one website attacking code on another website. That’s not what it is. Not to mention its unfortunate “true” acronym. <\/p>\n

It simply means: executing abritrary JavaScript code on the page.<\/strong><\/p>\n

<\/p>\n

This could be JavaScript that is inserted into the URL or through form submissions. If either of those ways of accepting information doesn’t “clean” the information it is getting before outputting it again on the page, then arbitrary JavaScript can run on that page and that’s an XSS vulnerability.<\/p>\n

If JavaScript can run on the page, then it can access cookies.<\/p>\n

If it can access cookies, then it can access active sessions.<\/p>\n

If it can access active sessions, it can log in as you to websites you are logged in to, at least long enough to change passwords or other havoc.<\/p>\n

Symantec has said<\/a> that 80% of internet vulnerabilities are due to XSS. <\/p>\n

XSS is different from, but similar in spirit to SQL injection. SQL injection is where SQL commands are not cleaned from inputs and thus able to do malicious things to a database. Using HTTPS cannot help with either XSS or SQL injection. HTTPS only protects data in transit over networks.<\/p>\n

I’m not a security expert, I’m just helping spread the word: let’s scrub those inputs people! Here’s a start.<\/a><\/p>\n

If you have more to add, or think I have it all wrong, let’s have it!<\/p>\n","protected":false},"excerpt":{"rendered":"

I think the name “cross site” is confusing. It’s easy to hear that and think it involves code on one website attacking code on another website. That’s not what it is. Not to mention its unfortunate “true” acronym. It simply means: executing abritrary JavaScript code on the page.<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"sig_custom_text":"","sig_image_type":"featured-image","sig_custom_image":0,"sig_is_disabled":false,"inline_featured_image":false,"c2c_always_allow_admin_comments":false,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":[]},"categories":[4],"tags":[],"jetpack_publicize_connections":[],"acf":[],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":197334,"url":"https:\/\/css-tricks.com\/introduction-to-wordpress-front-end-security-escaping-the-things\/","url_meta":{"origin":7886,"position":0},"title":"Introduction to WordPress Front End Security: Escaping the Things","date":"March 23, 2015","format":false,"excerpt":"If you're a WordPress developer that writes HTML\/CSS\/JS (which is 100% of theme developers and 99% of plugin developers), you need to know the basics of front end security for WordPress. WordPress gives you all the tools you need to make your theme or plugin secure. You just need to\u2026","rel":"","context":"In "Article"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":346368,"url":"https:\/\/css-tricks.com\/choice-words-about-the-upcoming-deprecation-of-javascript-dialogs\/","url_meta":{"origin":7886,"position":1},"title":"Choice Words about the Upcoming Deprecation of JavaScript Dialogs","date":"August 9, 2021","format":false,"excerpt":"It might be the very first thing a lot of people learn in JavaScript: alert(\"Hello, World\"); One day at CodePen, we woke up to a ton of customer support tickets about their Pens being broken, which ultimately boiled down to a version of Chrome that shipped where they ripped out\u2026","rel":"","context":"In "Article"","img":{"alt_text":"","src":"https:\/\/i0.wp.com\/css-tricks.com\/wp-content\/uploads\/2021\/08\/Screen-Shot-2021-08-09-at-10.49.34-AM.png?fit=1200%2C973&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":302683,"url":"https:\/\/css-tricks.com\/browser-functions\/","url_meta":{"origin":7886,"position":2},"title":"“Browser Functions”","date":"January 25, 2020","format":false,"excerpt":"Serverless functions are fairly straightforward. Put a bit of back-end language code, like Node, in the cloud and communicate with it via URL. But what if that URL didn't run a back-end language, it ran an actual browser? Richard Young: We can now do full stack development using just Web\u2026","rel":"","context":"In "Link"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":167531,"url":"https:\/\/css-tricks.com\/oembed\/","url_meta":{"origin":7886,"position":3},"title":"oEmbed Bring Embedded Pens All Over","date":"May 9, 2014","format":false,"excerpt":"oEmbed is a neat little technology that allows for rich content to be embedded into other content very easily. You paste a link to the \"thing\" and, when published, that link magically transforms into something much more useful than a link. A quintessential example is a link to a YouTube\u2026","rel":"","context":"In "Article"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":20203,"url":"https:\/\/css-tricks.com\/w3conf-brad-hill-html5-security-realities\/","url_meta":{"origin":7886,"position":4},"title":"[W3Conf] Brad Hill: “HTML5 Security Realities”","date":"February 22, 2013","format":false,"excerpt":"Brad Hill (@hillbrad) works at PayPal work works with the W3C on security issues. These are my notes from his presentation at W3Conf in San Francisco as part of this live blog series. You can't read anything about security without huge hyperbole about HTML security. Is it correct? Brad says\u2026","rel":"","context":"In "Article"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":308141,"url":"https:\/\/css-tricks.com\/how-to-build-a-chrome-extension\/","url_meta":{"origin":7886,"position":5},"title":"How to Build a Chrome Extension","date":"May 19, 2020","format":false,"excerpt":"I made a Chrome extension this weekend because I found I was doing the same task over and over and wanted to automate it. Plus, I\u2019m a nerd living through a pandemic, so I spend my pent-up energy building things. I've made a few Chrome Extensions over the years, hope\u2026","rel":"","context":"In "Article"","img":{"alt_text":"","src":"https:\/\/i0.wp.com\/css-tricks.com\/wp-content\/uploads\/2020\/05\/chrome-web-store-extensions.png?fit=1200%2C600&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/posts\/7886"}],"collection":[{"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/comments?post=7886"}],"version-history":[{"count":3,"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/posts\/7886\/revisions"}],"predecessor-version":[{"id":7889,"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/posts\/7886\/revisions\/7889"}],"wp:attachment":[{"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/media?parent=7886"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/categories?post=7886"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/css-tricks.com\/wp-json\/wp\/v2\/tags?post=7886"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}