cross-site-scripting
Safeguard articles tagged "cross-site-scripting" — guides, analysis, and best practices for software supply chain and application security.
15 articles
Cross-Site Scripting (XSS): A Prevention Guide
XSS lets an attacker run their JavaScript in your users' browsers — stealing sessions, rewriting pages, and pivoting to account takeover. This guide covers the three XSS types and the defenses that actually hold.
What is Cross-Site Scripting (XSS)
XSS lets attackers inject malicious JavaScript into trusted pages. Learn how stored, reflected, and DOM-based XSS work, real breaches, and defenses.
What is Output Encoding
Output encoding neutralizes untrusted data before it reaches a browser or database -- the last line of defense against XSS, and most teams still get it wrong.
Cross-site scripting (XSS) explained for developers
XSS has topped vulnerability lists for two decades. Here's how reflected, stored, and DOM-based XSS actually work, real incidents, and how to fix them.
CVE-2020-11023: XSS in jQuery option/script tag handling
CVE-2020-11023 let untrusted HTML with option tags bypass sanitization in jQuery's DOM methods, enabling XSS. Here's the fix, timeline, and remediation.
CVE-2015-9251: jQuery cross-domain AJAX XSS
CVE-2015-9251 lets attackers exploit jQuery's cross-domain AJAX handling to run arbitrary script. Learn affected versions, risk context, and fixes.
DOM-Based XSS: Finding and Fixing Client-Side Injection
DOM XSS never touches your server, so response scanners miss it. Here is how to trace sources to sinks in client code and shut the flaw down.
Stored XSS: Why Persistent Injection Hurts Most
Stored XSS saves the attacker's script server-side and serves it to everyone. Here is why persistent injection is the most damaging XSS variant and how to stop it.
XSS Examples: Real Payloads and How They Execute
Concrete XSS examples across HTML, attribute, and JavaScript contexts, with the payloads that trigger them and why each one runs.
CVE-2011-4969: The jQuery XSS Bug, a Decade Later
CVE-2011-4969 is a cross-site scripting flaw in jQuery versions before 1.6.3, triggered by unsanitized attribute-selector input — it's a small, old bug, but the reasons it lingered in codebases for years are still relevant.
XSS Scripting Attacks: A Refresher for Engineers
XSS scripting attacks still make the OWASP Top 10 more than two decades after they were first documented, mostly because the fix is context-dependent and easy to get almost-right.
What Is XSS? Cross-Site Scripting Full Form and Basics
XSS is short for cross-site scripting, a vulnerability that lets attackers run malicious scripts in a victim's browser. Here's how it works, its three main types, and how it's actually caught.