Cross-site scripting (XSS) is a type of vulnerability which was possible for a long time but grew exponentially from new technology formed from JavaScript and XML, AJAX. It is silent in its operations (unless it chooses to make itself known) and can fail silently, meaning it leaves virtually no trace, especially no easily visible one.

XSS vulnerabilities are generally created from user input which is not sanitized. For example, a comment form may allow a malicious user to insert JavaScript code, which then executes whenever a visitor sees the “infected” comment. Since this new malicious XSS code is aware of AJAX, it can affect both the client (the browser executing the XSS) as well as the server (the new unintentional host of malicious code). The malicious code can also, through methods unrelated to Ajax, contact other servers (for example, such as the malicious user’s own server, to collect passwords).

Avoiding most XSS vulnerabilities is actually relatively easy: it is a matter of remembering that user input is malicious until proven – or preferably, forced to be – benign.