Input Validation Error High The precise impact depends greatly on the application. XSS is generally a threat to web applications which have authenticated users or are otherwise security sensitive. Malicious code may be able to manipulate the content of the site, changing its appearance and/or function for another user. This includes modifying the behavior of the web application (such as redirecting forms, etc). The code may also be able to perform actions within the application without user knowledge. Script code can also obtain and retransmit cookie values if they haven't been set HttpOnly. The developer must identify how the untrustworthy data is being output to the client without adequate filtering. There are various language/platform specific techniques for filtering untrustworthy data. General rules for preventing XSS can be found in the recommended OWASP XSS Prevention Cheat Sheet (see references). Cross-site scripting (XSS) is a class of vulnerabilities affecting web applications that can result in security controls implemented in browsers being circumvented. When a browser visits a page on a website, script code originating in the website domain can access and manipulate the DOM (document object model), a representation of the page and its properties in the browser. Script code from another website can not. This is known as the "same origin policy", a critical control in the browser security model. Cross-site scripting vulnerabilities occur when a lack of input validation permits users to inject script code into the target website such that it runs in the browser of another user who is visiting the same website. This would circumvent the browser same-origin policy because the browser has no way to distinguish authentic script code from inauthentic, apart from its origin. Cross-Site Scripting (Wikipedia) Cross-Site Scripting (OWASP) XSS Prevention Cheat Sheet Cross-Site Scripting (WASC)