Cross-site scripting is a web-application flaw that allows untrusted content to run in a user's browser in the context of a trusted site.
Cross-site scripting, or XSS, is a web-application vulnerability that allows untrusted content to execute in a user’s browser within the context of a trusted site. In plain language, the site ends up sending or displaying data in a way that the browser treats as active code instead of ordinary content.
XSS matters because browsers trust content from the sites users visit. If an attacker can make a site deliver unsafe content, that content may interact with the user’s session, page data, or actions in ways the user did not intend.
It also matters because XSS shows why application security includes safe output handling, not only safe input handling. A web application has to control how data is rendered in the browser as carefully as it controls how data is stored or queried.
XSS appears in web pages, front-end templates, comments, search results, account pages, and any feature that reflects or stores untrusted content. Teams look for it during secure coding review, SAST, DAST, and browser-focused application testing.
Security teams also consider how Web Application Firewalls and browser protections can reduce some exposure while the application code is corrected.
A customer-support portal displays user-submitted profile text on an account page without safely handling how that content is rendered in the browser. If the application treats the content unsafely, another user viewing that page may receive active browser-side code instead of harmless text.
XSS is not the same as SQL Injection. SQL injection affects database query logic. XSS affects how web content is delivered and interpreted in the browser.
It is also different from Cross-Site Request Forgery. XSS involves unsafe content execution in the browser context, while CSRF abuses a user’s authenticated browser state to trigger unintended requests.