XSS (Cross-Site Scripting) is a vulnerability where an attacker injects malicious JavaScript into a web page so it runs in the victim's browser with that site's privileges.
The injected script inherits the origin's full privileges, so it can steal cookies/sessions, manipulate the DOM, fire requests on the user's behalf — essentially anything.
There are three main types: (1) Stored: the malicious script is saved in the server's DB (e.g. a comment) and repeatedly served to other users — the most dangerous; (2) Reflected: request values like URL parameters are reflected straight into the response and executed; (3) DOM-based: occurs entirely client-side when JavaScript puts untrusted input into a dangerous sink (`innerHTML`, `eval`) without the server. The common cause is inserting untrusted input into an HTML/JS execution context without escaping.
The core defense is output encoding — escape data for the HTML, attribute, JS, or URL context it lands in, and prefer `textContent` over `innerHTML` or use a vetted sanitizer (DOMPurify). For defense in depth, restrict inline and external scripts with a Content-Security-Policy (CSP), set `HttpOnly` on session cookies so scripts can't read them, and apply accurate MIME types with `nosniff` to uploaded content. XSS is a foundational vulnerability that can collapse the Same-Origin Policy and CSRF defenses from the inside, so it must be a top priority to prevent.