XSS Prevention: Output Encoding CSP
Understand reflected, stored, and DOM-based XSS, escape user-controlled output, avoid innerHTML with untrusted data, and add a Content Security Policy header.
What Is XSS?
Cross-Site Scripting happens when an attacker injects executable JavaScript into your page. The browser runs it with your origin's privileges — stealing cookies, hijacking sessions, defacing the page, redirecting to malware.
Three Flavours of XSS
Stored: malicious script saved in DB, served to every visitor. Reflected: input echoed back in the response (?q=<script>...). DOM-based: client-side JS writes untrusted data into the DOM.
All lessons in this course
- XSS Prevention: Output Encoding CSP
- CSRF: SameSite Cookies and Tokens
- Content Security Policy: nonce and hash
- OAuth Flows from the Frontend