Security news aggregator

Latest coverage for XSS

XSS lets attackers run scripts in a victim's browser, enabling data theft or account abuse; contextual output encoding and CSP reduce risk.

1 headlines in this view

Refine the feed

Search across headline titles and summaries.

Tag briefing

Background for this topic.

Cross-site scripting (XSS) is a web-application flaw in which attacker-controlled input is interpreted as script in another user’s browser. It can be stored in application data, reflected in an immediate response, or introduced by unsafe client-side code (DOM-based XSS). The script runs in the affected site’s origin, so it may read page content, alter requests, or perform actions available to the victim; impact depends on the victim’s privileges and the application’s defenses.

The primary mitigation is context-aware output encoding: treat untrusted data as text when inserting it into HTML, attributes, URLs, JavaScript, or CSS, and use safe DOM APIs such as textContent rather than unsafe HTML insertion. If user-authored HTML is required, apply a well-tested HTML sanitizer. A restrictive Content Security Policy can limit exploitability but is defense in depth, not a substitute for correct encoding. HttpOnly cookies can reduce direct cookie theft, but do not prevent XSS from performing in-session actions.

Showing 1 most recent headlines Filtered view

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged government agencies to apply patches for two security flaws impacting Synacor Zimbra Collaboration Suite (ZCS) and Microsoft Office SharePoint, stating they have been actively exploited in the wild