Editing JavaScript (section)

=== Cross-site scripting ===
{{Main|Cross-site scripting}}

A common JavaScript-related security problem is [[cross-site scripting]] (XSS), a violation of the [[same-origin policy]]. XSS vulnerabilities occur when an attacker can cause a target Website, such as an online banking website, to include a malicious script in the webpage presented to a victim. The script in this example can then access the banking application with the privileges of the victim, potentially disclosing secret information or transferring money without the victim's authorization. One important solution to XSS vulnerabilities is [[HTML sanitization]].

Some browsers include partial protection against ''reflected'' XSS attacks, in which the attacker provides a URL including malicious script. However, even users of those browsers are vulnerable to other XSS attacks, such as those where the malicious code is stored in a database. Only correct design of Web applications on the server-side can fully prevent XSS.

XSS vulnerabilities can also occur because of implementation mistakes by browser authors.<ref>{{cite web |url=https://www.mozillazine.org/talkback.html?article=4392 |title=Mozilla Cross-Site Scripting Vulnerability Reported and Fixed&nbsp;– MozillaZine Talkback |website=Mozillazine.org |access-date=February 24, 2017 |archive-date=July 21, 2011 |archive-url=https://web.archive.org/web/20110721230916/http://www.mozillazine.org/talkback.html?article=4392 |url-status=live }}</ref>