If your site allows users to add content, you need to be sure that attackers cannot inject malicious JavaScript. One method of doing this is called cross-site scripting (XSS).

Let's see how an attacker could take advantage of cross-site scripting.

Imagine you are the owner of breddit.com, the number one social media site for the baking industry. You have an avid community of commenters who love sharing their bread knowledge.

Because the main use of your website is to facilitate discussion, users can add comments, which are saved to the database and displayed to other users.

Unfortunately the popularity of your site has also attracted the attention of hackers, who want to access your site for nefarious purposes.

Unless you are careful when constructing the HTML, hackers can abuse the comment function by injecting JavaScript.

Watch how Mal injects some malicious JavaScript.

A real attack might use cross-site scripting to steal another user's cookie, which can permit session hijacking.

Now you try. Inject a script tag to call the upvote() function whenever the page is viewed.

We'd better learn how to protect against cross-site scripting then.

Rude.

That's not good.

breddit.com/r/comments/how_much_do_you_like_bread/

breddit

How much do you folks like bread?

roll_with_it

I dream of baking tins.

butter_you_than_me

...

butter_you_than_me

...

breddit.com/r/comments/how_much_do_you_like_bread/

breddit

How much do you folks like bread?

roll_with_it

I dream of baking tins.

I_knead_you_right_now

I love it so much, I think I might be part duck.

butter_you_than_me

...

butter_you_than_me

...

breddit.com/

breddit

Your Loaves Are Soggy and Undercooked

roll_with_it

That's mean. Why would you say that?