CINXE.COM
Cross-site scripting - Wikipedia
<!DOCTYPE html> <html class="client-nojs vector-feature-language-in-header-enabled vector-feature-language-in-main-page-header-disabled vector-feature-sticky-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-enabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-enabled skin-theme-clientpref-day vector-toc-available" lang="en" dir="ltr"> <head> <meta charset="UTF-8"> <title>Cross-site scripting - Wikipedia</title> <script>(function(){var className="client-js vector-feature-language-in-header-enabled vector-feature-language-in-main-page-header-disabled vector-feature-sticky-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-enabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-enabled skin-theme-clientpref-day vector-toc-available";var cookie=document.cookie.match(/(?:^|; )enwikimwclientpreferences=([^;]+)/);if(cookie){cookie[1].split('%2C').forEach(function(pref){className=className.replace(new RegExp('(^| )'+pref.replace(/-clientpref-\w+$|[^\w-]+/g,'')+'-clientpref-\\w+( |$)'),'$1'+pref+'$2');});}document.documentElement.className=className;}());RLCONF={"wgBreakFrames":false,"wgSeparatorTransformTable":["",""],"wgDigitTransformTable":["",""],"wgDefaultDateFormat":"dmy", "wgMonthNames":["","January","February","March","April","May","June","July","August","September","October","November","December"],"wgRequestId":"7a383f71-f696-43f6-a8cb-522c0b6ef09f","wgCanonicalNamespace":"","wgCanonicalSpecialPageName":false,"wgNamespaceNumber":0,"wgPageName":"Cross-site_scripting","wgTitle":"Cross-site scripting","wgCurRevisionId":1258701613,"wgRevisionId":1258701613,"wgArticleId":241154,"wgIsArticle":true,"wgIsRedirect":false,"wgAction":"view","wgUserName":null,"wgUserGroups":["*"],"wgCategories":["All articles with dead external links","Articles with dead external links from August 2018","Articles with permanently dead external links","Articles with short description","Short description is different from Wikidata","Use mdy dates from June 2019","All pages needing factual verification","Wikipedia articles needing factual verification from October 2024","Web security exploits","Injection exploits","Hacking (computer security)","Client-side web security exploits"], "wgPageViewLanguage":"en","wgPageContentLanguage":"en","wgPageContentModel":"wikitext","wgRelevantPageName":"Cross-site_scripting","wgRelevantArticleId":241154,"wgIsProbablyEditable":true,"wgRelevantPageIsProbablyEditable":true,"wgRestrictionEdit":[],"wgRestrictionMove":[],"wgNoticeProject":"wikipedia","wgCiteReferencePreviewsActive":false,"wgFlaggedRevsParams":{"tags":{"status":{"levels":1}}},"wgMediaViewerOnClick":true,"wgMediaViewerEnabledByDefault":true,"wgPopupsFlags":0,"wgVisualEditor":{"pageLanguageCode":"en","pageLanguageDir":"ltr","pageVariantFallbacks":"en"},"wgMFDisplayWikibaseDescriptions":{"search":true,"watchlist":true,"tagline":false,"nearby":true},"wgWMESchemaEditAttemptStepOversample":false,"wgWMEPageLength":30000,"wgRelatedArticlesCompat":[],"wgCentralAuthMobileDomain":false,"wgEditSubmitButtonLabelPublish":true,"wgULSPosition":"interlanguage","wgULSisCompactLinksEnabled":false,"wgVector2022LanguageInHeader":true,"wgULSisLanguageSelectorEmpty":false,"wgWikibaseItemId" :"Q371199","wgCheckUserClientHintsHeadersJsApi":["brands","architecture","bitness","fullVersionList","mobile","model","platform","platformVersion"],"GEHomepageSuggestedEditsEnableTopics":true,"wgGETopicsMatchModeEnabled":false,"wgGEStructuredTaskRejectionReasonTextInputEnabled":false,"wgGELevelingUpEnabledForUser":false};RLSTATE={"ext.globalCssJs.user.styles":"ready","site.styles":"ready","user.styles":"ready","ext.globalCssJs.user":"ready","user":"ready","user.options":"loading","ext.cite.styles":"ready","skins.vector.search.codex.styles":"ready","skins.vector.styles":"ready","skins.vector.icons":"ready","jquery.makeCollapsible.styles":"ready","ext.wikimediamessages.styles":"ready","ext.visualEditor.desktopArticleTarget.noscript":"ready","ext.uls.interlanguage":"ready","wikibase.client.init":"ready","ext.wikimediaBadges":"ready"};RLPAGEMODULES=["ext.cite.ux-enhancements","site","mediawiki.page.ready","jquery.makeCollapsible","mediawiki.toc","skins.vector.js","ext.centralNotice.geoIP", "ext.centralNotice.startUp","ext.gadget.ReferenceTooltips","ext.gadget.switcher","ext.urlShortener.toolbar","ext.centralauth.centralautologin","mmv.bootstrap","ext.popups","ext.visualEditor.desktopArticleTarget.init","ext.visualEditor.targetLoader","ext.echo.centralauth","ext.eventLogging","ext.wikimediaEvents","ext.navigationTiming","ext.uls.interface","ext.cx.eventlogging.campaigns","ext.cx.uls.quick.actions","wikibase.client.vector-2022","ext.checkUser.clientHints","ext.growthExperiments.SuggestedEditSession","wikibase.sidebar.tracking"];</script> <script>(RLQ=window.RLQ||[]).push(function(){mw.loader.impl(function(){return["user.options@12s5i",function($,jQuery,require,module){mw.user.tokens.set({"patrolToken":"+\\","watchToken":"+\\","csrfToken":"+\\"}); }];});});</script> <link rel="stylesheet" href="/w/load.php?lang=en&modules=ext.cite.styles%7Cext.uls.interlanguage%7Cext.visualEditor.desktopArticleTarget.noscript%7Cext.wikimediaBadges%7Cext.wikimediamessages.styles%7Cjquery.makeCollapsible.styles%7Cskins.vector.icons%2Cstyles%7Cskins.vector.search.codex.styles%7Cwikibase.client.init&only=styles&skin=vector-2022"> <script async="" src="/w/load.php?lang=en&modules=startup&only=scripts&raw=1&skin=vector-2022"></script> <meta name="ResourceLoaderDynamicStyles" content=""> <link rel="stylesheet" href="/w/load.php?lang=en&modules=site.styles&only=styles&skin=vector-2022"> <meta name="generator" content="MediaWiki 1.44.0-wmf.4"> <meta name="referrer" content="origin"> <meta name="referrer" content="origin-when-cross-origin"> <meta name="robots" content="max-image-preview:standard"> <meta name="format-detection" content="telephone=no"> <meta name="viewport" content="width=1120"> <meta property="og:title" content="Cross-site scripting - Wikipedia"> <meta property="og:type" content="website"> <link rel="preconnect" href="//upload.wikimedia.org"> <link rel="alternate" media="only screen and (max-width: 640px)" href="//en.m.wikipedia.org/wiki/Cross-site_scripting"> <link rel="alternate" type="application/x-wiki" title="Edit this page" href="/w/index.php?title=Cross-site_scripting&action=edit"> <link rel="apple-touch-icon" href="/static/apple-touch/wikipedia.png"> <link rel="icon" href="/static/favicon/wikipedia.ico"> <link rel="search" type="application/opensearchdescription+xml" href="/w/rest.php/v1/search" title="Wikipedia (en)"> <link rel="EditURI" type="application/rsd+xml" href="//en.wikipedia.org/w/api.php?action=rsd"> <link rel="canonical" href="https://en.wikipedia.org/wiki/Cross-site_scripting"> <link rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/deed.en"> <link rel="alternate" type="application/atom+xml" title="Wikipedia Atom feed" href="/w/index.php?title=Special:RecentChanges&feed=atom"> <link rel="dns-prefetch" href="//meta.wikimedia.org" /> <link rel="dns-prefetch" href="//login.wikimedia.org"> </head> <body class="skin--responsive skin-vector skin-vector-search-vue mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-0 ns-subject mw-editable page-Cross-site_scripting rootpage-Cross-site_scripting skin-vector-2022 action-view"><a class="mw-jump-link" href="#bodyContent">Jump to content</a> <div class="vector-header-container"> <header class="vector-header mw-header"> <div class="vector-header-start"> <nav class="vector-main-menu-landmark" aria-label="Site"> <div id="vector-main-menu-dropdown" class="vector-dropdown vector-main-menu-dropdown vector-button-flush-left vector-button-flush-right" > <input type="checkbox" id="vector-main-menu-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-main-menu-dropdown" class="vector-dropdown-checkbox " aria-label="Main menu" > <label id="vector-main-menu-dropdown-label" for="vector-main-menu-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-menu mw-ui-icon-wikimedia-menu"></span> <span class="vector-dropdown-label-text">Main menu</span> </label> <div class="vector-dropdown-content"> <div id="vector-main-menu-unpinned-container" class="vector-unpinned-container"> <div id="vector-main-menu" class="vector-main-menu vector-pinnable-element"> <div class="vector-pinnable-header vector-main-menu-pinnable-header vector-pinnable-header-unpinned" data-feature-name="main-menu-pinned" data-pinnable-element-id="vector-main-menu" data-pinned-container-id="vector-main-menu-pinned-container" data-unpinned-container-id="vector-main-menu-unpinned-container" > <div class="vector-pinnable-header-label">Main menu</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-main-menu.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-main-menu.unpin">hide</button> </div> <div id="p-navigation" class="vector-menu mw-portlet mw-portlet-navigation" > <div class="vector-menu-heading"> Navigation </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-mainpage-description" class="mw-list-item"><a href="/wiki/Main_Page" title="Visit the main page [z]" accesskey="z"><span>Main page</span></a></li><li id="n-contents" class="mw-list-item"><a href="/wiki/Wikipedia:Contents" title="Guides to browsing Wikipedia"><span>Contents</span></a></li><li id="n-currentevents" class="mw-list-item"><a href="/wiki/Portal:Current_events" title="Articles related to current events"><span>Current events</span></a></li><li id="n-randompage" class="mw-list-item"><a href="/wiki/Special:Random" title="Visit a randomly selected article [x]" accesskey="x"><span>Random article</span></a></li><li id="n-aboutsite" class="mw-list-item"><a href="/wiki/Wikipedia:About" title="Learn about Wikipedia and how it works"><span>About Wikipedia</span></a></li><li id="n-contactpage" class="mw-list-item"><a href="//en.wikipedia.org/wiki/Wikipedia:Contact_us" title="How to contact Wikipedia"><span>Contact us</span></a></li> </ul> </div> </div> <div id="p-interaction" class="vector-menu mw-portlet mw-portlet-interaction" > <div class="vector-menu-heading"> Contribute </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-help" class="mw-list-item"><a href="/wiki/Help:Contents" title="Guidance on how to use and edit Wikipedia"><span>Help</span></a></li><li id="n-introduction" class="mw-list-item"><a href="/wiki/Help:Introduction" title="Learn how to edit Wikipedia"><span>Learn to edit</span></a></li><li id="n-portal" class="mw-list-item"><a href="/wiki/Wikipedia:Community_portal" title="The hub for editors"><span>Community portal</span></a></li><li id="n-recentchanges" class="mw-list-item"><a href="/wiki/Special:RecentChanges" title="A list of recent changes to Wikipedia [r]" accesskey="r"><span>Recent changes</span></a></li><li id="n-upload" class="mw-list-item"><a href="/wiki/Wikipedia:File_upload_wizard" title="Add images or other media for use on Wikipedia"><span>Upload file</span></a></li> </ul> </div> </div> </div> </div> </div> </div> </nav> <a href="/wiki/Main_Page" class="mw-logo"> <img class="mw-logo-icon" src="/static/images/icons/wikipedia.png" alt="" aria-hidden="true" height="50" width="50"> <span class="mw-logo-container skin-invert"> <img class="mw-logo-wordmark" alt="Wikipedia" src="/static/images/mobile/copyright/wikipedia-wordmark-en.svg" style="width: 7.5em; height: 1.125em;"> <img class="mw-logo-tagline" alt="The Free Encyclopedia" src="/static/images/mobile/copyright/wikipedia-tagline-en.svg" width="117" height="13" style="width: 7.3125em; height: 0.8125em;"> </span> </a> </div> <div class="vector-header-end"> <div id="p-search" role="search" class="vector-search-box-vue vector-search-box-collapses vector-search-box-show-thumbnail vector-search-box-auto-expand-width vector-search-box"> <a href="/wiki/Special:Search" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only search-toggle" title="Search Wikipedia [f]" accesskey="f"><span class="vector-icon mw-ui-icon-search mw-ui-icon-wikimedia-search"></span> <span>Search</span> </a> <div class="vector-typeahead-search-container"> <div class="cdx-typeahead-search cdx-typeahead-search--show-thumbnail cdx-typeahead-search--auto-expand-width"> <form action="/w/index.php" id="searchform" class="cdx-search-input cdx-search-input--has-end-button"> <div id="simpleSearch" class="cdx-search-input__input-wrapper" data-search-loc="header-moved"> <div class="cdx-text-input cdx-text-input--has-start-icon"> <input class="cdx-text-input__input" type="search" name="search" placeholder="Search Wikipedia" aria-label="Search Wikipedia" autocapitalize="sentences" title="Search Wikipedia [f]" accesskey="f" id="searchInput" > <span class="cdx-text-input__icon cdx-text-input__start-icon"></span> </div> <input type="hidden" name="title" value="Special:Search"> </div> <button class="cdx-button cdx-search-input__end-button">Search</button> </form> </div> </div> </div> <nav class="vector-user-links vector-user-links-wide" aria-label="Personal tools"> <div class="vector-user-links-main"> <div id="p-vector-user-menu-preferences" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <div id="p-vector-user-menu-userpage" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <nav class="vector-appearance-landmark" aria-label="Appearance"> <div id="vector-appearance-dropdown" class="vector-dropdown " title="Change the appearance of the page's font size, width, and color" > <input type="checkbox" id="vector-appearance-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-appearance-dropdown" class="vector-dropdown-checkbox " aria-label="Appearance" > <label id="vector-appearance-dropdown-label" for="vector-appearance-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-appearance mw-ui-icon-wikimedia-appearance"></span> <span class="vector-dropdown-label-text">Appearance</span> </label> <div class="vector-dropdown-content"> <div id="vector-appearance-unpinned-container" class="vector-unpinned-container"> </div> </div> </div> </nav> <div id="p-vector-user-menu-notifications" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <div id="p-vector-user-menu-overflow" class="vector-menu mw-portlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-sitesupport-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="https://donate.wikimedia.org/wiki/Special:FundraiserRedirector?utm_source=donate&utm_medium=sidebar&utm_campaign=C13_en.wikipedia.org&uselang=en" class=""><span>Donate</span></a> </li> <li id="pt-createaccount-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="/w/index.php?title=Special:CreateAccount&returnto=Cross-site+scripting" title="You are encouraged to create an account and log in; however, it is not mandatory" class=""><span>Create account</span></a> </li> <li id="pt-login-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="/w/index.php?title=Special:UserLogin&returnto=Cross-site+scripting" title="You're encouraged to log in; however, it's not mandatory. [o]" accesskey="o" class=""><span>Log in</span></a> </li> </ul> </div> </div> </div> <div id="vector-user-links-dropdown" class="vector-dropdown vector-user-menu vector-button-flush-right vector-user-menu-logged-out" title="Log in and more options" > <input type="checkbox" id="vector-user-links-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-user-links-dropdown" class="vector-dropdown-checkbox " aria-label="Personal tools" > <label id="vector-user-links-dropdown-label" for="vector-user-links-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-ellipsis mw-ui-icon-wikimedia-ellipsis"></span> <span class="vector-dropdown-label-text">Personal tools</span> </label> <div class="vector-dropdown-content"> <div id="p-personal" class="vector-menu mw-portlet mw-portlet-personal user-links-collapsible-item" title="User menu" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-sitesupport" class="user-links-collapsible-item mw-list-item"><a href="https://donate.wikimedia.org/wiki/Special:FundraiserRedirector?utm_source=donate&utm_medium=sidebar&utm_campaign=C13_en.wikipedia.org&uselang=en"><span>Donate</span></a></li><li id="pt-createaccount" class="user-links-collapsible-item mw-list-item"><a href="/w/index.php?title=Special:CreateAccount&returnto=Cross-site+scripting" title="You are encouraged to create an account and log in; however, it is not mandatory"><span class="vector-icon mw-ui-icon-userAdd mw-ui-icon-wikimedia-userAdd"></span> <span>Create account</span></a></li><li id="pt-login" class="user-links-collapsible-item mw-list-item"><a href="/w/index.php?title=Special:UserLogin&returnto=Cross-site+scripting" title="You're encouraged to log in; however, it's not mandatory. [o]" accesskey="o"><span class="vector-icon mw-ui-icon-logIn mw-ui-icon-wikimedia-logIn"></span> <span>Log in</span></a></li> </ul> </div> </div> <div id="p-user-menu-anon-editor" class="vector-menu mw-portlet mw-portlet-user-menu-anon-editor" > <div class="vector-menu-heading"> Pages for logged out editors <a href="/wiki/Help:Introduction" aria-label="Learn more about editing"><span>learn more</span></a> </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-anoncontribs" class="mw-list-item"><a href="/wiki/Special:MyContributions" title="A list of edits made from this IP address [y]" accesskey="y"><span>Contributions</span></a></li><li id="pt-anontalk" class="mw-list-item"><a href="/wiki/Special:MyTalk" title="Discussion about edits from this IP address [n]" accesskey="n"><span>Talk</span></a></li> </ul> </div> </div> </div> </div> </nav> </div> </header> </div> <div class="mw-page-container"> <div class="mw-page-container-inner"> <div class="vector-sitenotice-container"> <div id="siteNotice"><!-- CentralNotice --></div> </div> <div class="vector-column-start"> <div class="vector-main-menu-container"> <div id="mw-navigation"> <nav id="mw-panel" class="vector-main-menu-landmark" aria-label="Site"> <div id="vector-main-menu-pinned-container" class="vector-pinned-container"> </div> </nav> </div> </div> <div class="vector-sticky-pinned-container"> <nav id="mw-panel-toc" aria-label="Contents" data-event-name="ui.sidebar-toc" class="mw-table-of-contents-container vector-toc-landmark"> <div id="vector-toc-pinned-container" class="vector-pinned-container"> <div id="vector-toc" class="vector-toc vector-pinnable-element"> <div class="vector-pinnable-header vector-toc-pinnable-header vector-pinnable-header-pinned" data-feature-name="toc-pinned" data-pinnable-element-id="vector-toc" > <h2 class="vector-pinnable-header-label">Contents</h2> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-toc.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-toc.unpin">hide</button> </div> <ul class="vector-toc-contents" id="mw-panel-toc-list"> <li id="toc-mw-content-text" class="vector-toc-list-item vector-toc-level-1"> <a href="#" class="vector-toc-link"> <div class="vector-toc-text">(Top)</div> </a> </li> <li id="toc-Background" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Background"> <div class="vector-toc-text"> <span class="vector-toc-numb">1</span> <span>Background</span> </div> </a> <ul id="toc-Background-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Types" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Types"> <div class="vector-toc-text"> <span class="vector-toc-numb">2</span> <span>Types</span> </div> </a> <button aria-controls="toc-Types-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> <span class="vector-icon mw-ui-icon-wikimedia-expand"></span> <span>Toggle Types subsection</span> </button> <ul id="toc-Types-sublist" class="vector-toc-list"> <li id="toc-Non-persistent_(reflected)" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Non-persistent_(reflected)"> <div class="vector-toc-text"> <span class="vector-toc-numb">2.1</span> <span>Non-persistent (reflected)</span> </div> </a> <ul id="toc-Non-persistent_(reflected)-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Persistent_(or_stored)" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Persistent_(or_stored)"> <div class="vector-toc-text"> <span class="vector-toc-numb">2.2</span> <span>Persistent (or stored)</span> </div> </a> <ul id="toc-Persistent_(or_stored)-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Server-side_versus_DOM-based_vulnerabilities" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Server-side_versus_DOM-based_vulnerabilities"> <div class="vector-toc-text"> <span class="vector-toc-numb">2.3</span> <span>Server-side versus DOM-based vulnerabilities</span> </div> </a> <ul id="toc-Server-side_versus_DOM-based_vulnerabilities-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Self-XSS" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Self-XSS"> <div class="vector-toc-text"> <span class="vector-toc-numb">2.4</span> <span>Self-XSS</span> </div> </a> <ul id="toc-Self-XSS-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Mutated_XSS_(mXSS)" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Mutated_XSS_(mXSS)"> <div class="vector-toc-text"> <span class="vector-toc-numb">2.5</span> <span>Mutated XSS (mXSS)</span> </div> </a> <ul id="toc-Mutated_XSS_(mXSS)-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Preventive_measures" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Preventive_measures"> <div class="vector-toc-text"> <span class="vector-toc-numb">3</span> <span>Preventive measures</span> </div> </a> <button aria-controls="toc-Preventive_measures-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> <span class="vector-icon mw-ui-icon-wikimedia-expand"></span> <span>Toggle Preventive measures subsection</span> </button> <ul id="toc-Preventive_measures-sublist" class="vector-toc-list"> <li id="toc-Contextual_output_encoding/escaping_of_string_input" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Contextual_output_encoding/escaping_of_string_input"> <div class="vector-toc-text"> <span class="vector-toc-numb">3.1</span> <span>Contextual output encoding/escaping of string input</span> </div> </a> <ul id="toc-Contextual_output_encoding/escaping_of_string_input-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Safely_validating_untrusted_HTML_input" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Safely_validating_untrusted_HTML_input"> <div class="vector-toc-text"> <span class="vector-toc-numb">3.2</span> <span>Safely validating untrusted HTML input</span> </div> </a> <ul id="toc-Safely_validating_untrusted_HTML_input-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Cookie_security" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Cookie_security"> <div class="vector-toc-text"> <span class="vector-toc-numb">3.3</span> <span>Cookie security</span> </div> </a> <ul id="toc-Cookie_security-sublist" class="vector-toc-list"> <li id="toc-Http-only_cookie" class="vector-toc-list-item vector-toc-level-3"> <a class="vector-toc-link" href="#Http-only_cookie"> <div class="vector-toc-text"> <span class="vector-toc-numb">3.3.1</span> <span>Http-only cookie</span> </div> </a> <ul id="toc-Http-only_cookie-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Disabling_scripts" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Disabling_scripts"> <div class="vector-toc-text"> <span class="vector-toc-numb">3.4</span> <span>Disabling scripts</span> </div> </a> <ul id="toc-Disabling_scripts-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Selectively_disabling_scripts" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Selectively_disabling_scripts"> <div class="vector-toc-text"> <span class="vector-toc-numb">3.5</span> <span>Selectively disabling scripts</span> </div> </a> <ul id="toc-Selectively_disabling_scripts-sublist" class="vector-toc-list"> <li id="toc-Content_Security_Policy" class="vector-toc-list-item vector-toc-level-3"> <a class="vector-toc-link" href="#Content_Security_Policy"> <div class="vector-toc-text"> <span class="vector-toc-numb">3.5.1</span> <span>Content Security Policy</span> </div> </a> <ul id="toc-Content_Security_Policy-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Emerging_defensive_technologies" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Emerging_defensive_technologies"> <div class="vector-toc-text"> <span class="vector-toc-numb">3.6</span> <span>Emerging defensive technologies</span> </div> </a> <ul id="toc-Emerging_defensive_technologies-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-SameSite_cookie_parameter" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#SameSite_cookie_parameter"> <div class="vector-toc-text"> <span class="vector-toc-numb">3.7</span> <span>SameSite cookie parameter</span> </div> </a> <ul id="toc-SameSite_cookie_parameter-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Notable_Incidents" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Notable_Incidents"> <div class="vector-toc-text"> <span class="vector-toc-numb">4</span> <span>Notable Incidents</span> </div> </a> <ul id="toc-Notable_Incidents-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-See_also" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#See_also"> <div class="vector-toc-text"> <span class="vector-toc-numb">5</span> <span>See also</span> </div> </a> <ul id="toc-See_also-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Footnotes" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Footnotes"> <div class="vector-toc-text"> <span class="vector-toc-numb">6</span> <span>Footnotes</span> </div> </a> <ul id="toc-Footnotes-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-References" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#References"> <div class="vector-toc-text"> <span class="vector-toc-numb">7</span> <span>References</span> </div> </a> <ul id="toc-References-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Further_reading" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Further_reading"> <div class="vector-toc-text"> <span class="vector-toc-numb">8</span> <span>Further reading</span> </div> </a> <ul id="toc-Further_reading-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-External_links" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#External_links"> <div class="vector-toc-text"> <span class="vector-toc-numb">9</span> <span>External links</span> </div> </a> <ul id="toc-External_links-sublist" class="vector-toc-list"> </ul> </li> </ul> </div> </div> </nav> </div> </div> <div class="mw-content-container"> <main id="content" class="mw-body"> <header class="mw-body-header vector-page-titlebar"> <nav aria-label="Contents" class="vector-toc-landmark"> <div id="vector-page-titlebar-toc" class="vector-dropdown vector-page-titlebar-toc vector-button-flush-left" > <input type="checkbox" id="vector-page-titlebar-toc-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-page-titlebar-toc" class="vector-dropdown-checkbox " aria-label="Toggle the table of contents" > <label id="vector-page-titlebar-toc-label" for="vector-page-titlebar-toc-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-listBullet mw-ui-icon-wikimedia-listBullet"></span> <span class="vector-dropdown-label-text">Toggle the table of contents</span> </label> <div class="vector-dropdown-content"> <div id="vector-page-titlebar-toc-unpinned-container" class="vector-unpinned-container"> </div> </div> </div> </nav> <h1 id="firstHeading" class="firstHeading mw-first-heading"><span class="mw-page-title-main">Cross-site scripting</span></h1> <div id="p-lang-btn" class="vector-dropdown mw-portlet mw-portlet-lang" > <input type="checkbox" id="p-lang-btn-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-p-lang-btn" class="vector-dropdown-checkbox mw-interlanguage-selector" aria-label="Go to an article in another language. Available in 37 languages" > <label id="p-lang-btn-label" for="p-lang-btn-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--action-progressive mw-portlet-lang-heading-37" aria-hidden="true" ><span class="vector-icon mw-ui-icon-language-progressive mw-ui-icon-wikimedia-language-progressive"></span> <span class="vector-dropdown-label-text">37 languages</span> </label> <div class="vector-dropdown-content"> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li class="interlanguage-link interwiki-ar mw-list-item"><a href="https://ar.wikipedia.org/wiki/%D8%A8%D8%B1%D9%85%D8%AC%D8%A9_%D8%B9%D8%A7%D8%A8%D8%B1%D8%A9_%D9%84%D9%84%D9%85%D9%88%D8%A7%D9%82%D8%B9" title="برمجة عابرة للمواقع – Arabic" lang="ar" hreflang="ar" data-title="برمجة عابرة للمواقع" data-language-autonym="العربية" data-language-local-name="Arabic" class="interlanguage-link-target"><span>العربية</span></a></li><li class="interlanguage-link interwiki-az mw-list-item"><a href="https://az.wikipedia.org/wiki/Saytlararas%C4%B1_skript" title="Saytlararası skript – Azerbaijani" lang="az" hreflang="az" data-title="Saytlararası skript" data-language-autonym="Azərbaycanca" data-language-local-name="Azerbaijani" class="interlanguage-link-target"><span>Azərbaycanca</span></a></li><li class="interlanguage-link interwiki-ca mw-list-item"><a href="https://ca.wikipedia.org/wiki/Cross_Site_Scripting" title="Cross Site Scripting – Catalan" lang="ca" hreflang="ca" data-title="Cross Site Scripting" data-language-autonym="Català" data-language-local-name="Catalan" class="interlanguage-link-target"><span>Català</span></a></li><li class="interlanguage-link interwiki-cs mw-list-item"><a href="https://cs.wikipedia.org/wiki/Cross-site_scripting" title="Cross-site scripting – Czech" lang="cs" hreflang="cs" data-title="Cross-site scripting" data-language-autonym="Čeština" data-language-local-name="Czech" class="interlanguage-link-target"><span>Čeština</span></a></li><li class="interlanguage-link interwiki-da mw-list-item"><a href="https://da.wikipedia.org/wiki/Cross-site_scripting" title="Cross-site scripting – Danish" lang="da" hreflang="da" data-title="Cross-site scripting" data-language-autonym="Dansk" data-language-local-name="Danish" class="interlanguage-link-target"><span>Dansk</span></a></li><li class="interlanguage-link interwiki-de mw-list-item"><a href="https://de.wikipedia.org/wiki/Cross-Site-Scripting" title="Cross-Site-Scripting – German" lang="de" hreflang="de" data-title="Cross-Site-Scripting" data-language-autonym="Deutsch" data-language-local-name="German" class="interlanguage-link-target"><span>Deutsch</span></a></li><li class="interlanguage-link interwiki-et mw-list-item"><a href="https://et.wikipedia.org/wiki/Murdskriptimine" title="Murdskriptimine – Estonian" lang="et" hreflang="et" data-title="Murdskriptimine" data-language-autonym="Eesti" data-language-local-name="Estonian" class="interlanguage-link-target"><span>Eesti</span></a></li><li class="interlanguage-link interwiki-el mw-list-item"><a href="https://el.wikipedia.org/wiki/Cross-site_scripting" title="Cross-site scripting – Greek" lang="el" hreflang="el" data-title="Cross-site scripting" data-language-autonym="Ελληνικά" data-language-local-name="Greek" class="interlanguage-link-target"><span>Ελληνικά</span></a></li><li class="interlanguage-link interwiki-es mw-list-item"><a href="https://es.wikipedia.org/wiki/Cross-site_scripting" title="Cross-site scripting – Spanish" lang="es" hreflang="es" data-title="Cross-site scripting" data-language-autonym="Español" data-language-local-name="Spanish" class="interlanguage-link-target"><span>Español</span></a></li><li class="interlanguage-link interwiki-eu mw-list-item"><a href="https://eu.wikipedia.org/wiki/Cross-site_scripting" title="Cross-site scripting – Basque" lang="eu" hreflang="eu" data-title="Cross-site scripting" data-language-autonym="Euskara" data-language-local-name="Basque" class="interlanguage-link-target"><span>Euskara</span></a></li><li class="interlanguage-link interwiki-fa mw-list-item"><a href="https://fa.wikipedia.org/wiki/%D8%AA%D8%B2%D8%B1%DB%8C%D9%82_%D8%A7%D8%B3%DA%A9%D8%B1%DB%8C%D9%BE%D8%AA_%D8%A7%D8%B2_%D8%B7%D8%B1%DB%8C%D9%82_%D9%88%D8%A8%DA%AF%D8%A7%D9%87" title="تزریق اسکریپت از طریق وبگاه – Persian" lang="fa" hreflang="fa" data-title="تزریق اسکریپت از طریق وبگاه" data-language-autonym="فارسی" data-language-local-name="Persian" class="interlanguage-link-target"><span>فارسی</span></a></li><li class="interlanguage-link interwiki-fr mw-list-item"><a href="https://fr.wikipedia.org/wiki/Cross-site_scripting" title="Cross-site scripting – French" lang="fr" hreflang="fr" data-title="Cross-site scripting" data-language-autonym="Français" data-language-local-name="French" class="interlanguage-link-target"><span>Français</span></a></li><li class="interlanguage-link interwiki-ko mw-list-item"><a href="https://ko.wikipedia.org/wiki/%EC%82%AC%EC%9D%B4%ED%8A%B8_%EA%B0%84_%EC%8A%A4%ED%81%AC%EB%A6%BD%ED%8C%85" title="사이트 간 스크립팅 – Korean" lang="ko" hreflang="ko" data-title="사이트 간 스크립팅" data-language-autonym="한국어" data-language-local-name="Korean" class="interlanguage-link-target"><span>한국어</span></a></li><li class="interlanguage-link interwiki-id mw-list-item"><a href="https://id.wikipedia.org/wiki/XSS" title="XSS – Indonesian" lang="id" hreflang="id" data-title="XSS" data-language-autonym="Bahasa Indonesia" data-language-local-name="Indonesian" class="interlanguage-link-target"><span>Bahasa Indonesia</span></a></li><li class="interlanguage-link interwiki-it mw-list-item"><a href="https://it.wikipedia.org/wiki/Cross-site_scripting" title="Cross-site scripting – Italian" lang="it" hreflang="it" data-title="Cross-site scripting" data-language-autonym="Italiano" data-language-local-name="Italian" class="interlanguage-link-target"><span>Italiano</span></a></li><li class="interlanguage-link interwiki-he mw-list-item"><a href="https://he.wikipedia.org/wiki/XSS" title="XSS – Hebrew" lang="he" hreflang="he" data-title="XSS" data-language-autonym="עברית" data-language-local-name="Hebrew" class="interlanguage-link-target"><span>עברית</span></a></li><li class="interlanguage-link interwiki-lv mw-list-item"><a href="https://lv.wikipedia.org/wiki/Starpviet%C5%86u_skripto%C5%A1ana" title="Starpvietņu skriptošana – Latvian" lang="lv" hreflang="lv" data-title="Starpvietņu skriptošana" data-language-autonym="Latviešu" data-language-local-name="Latvian" class="interlanguage-link-target"><span>Latviešu</span></a></li><li class="interlanguage-link interwiki-lt mw-list-item"><a href="https://lt.wikipedia.org/wiki/XSS" title="XSS – Lithuanian" lang="lt" hreflang="lt" data-title="XSS" data-language-autonym="Lietuvių" data-language-local-name="Lithuanian" class="interlanguage-link-target"><span>Lietuvių</span></a></li><li class="interlanguage-link interwiki-lmo mw-list-item"><a href="https://lmo.wikipedia.org/wiki/Cross-site_scripting" title="Cross-site scripting – Lombard" lang="lmo" hreflang="lmo" data-title="Cross-site scripting" data-language-autonym="Lombard" data-language-local-name="Lombard" class="interlanguage-link-target"><span>Lombard</span></a></li><li class="interlanguage-link interwiki-ml mw-list-item"><a href="https://ml.wikipedia.org/wiki/%E0%B4%95%E0%B5%8D%E0%B4%B0%E0%B5%8B%E0%B4%B8%E0%B5%8D_%E0%B4%B8%E0%B5%88%E0%B4%B1%E0%B5%8D%E0%B4%B1%E0%B5%8D_%E0%B4%B8%E0%B5%8D%E0%B4%95%E0%B5%8D%E0%B4%B0%E0%B4%BF%E0%B4%AA%E0%B5%8D%E0%B4%B1%E0%B5%8D%E0%B4%B1%E0%B4%BF%E0%B4%82%E0%B4%97%E0%B5%8D" title="ക്രോസ് സൈറ്റ് സ്ക്രിപ്റ്റിംഗ് – Malayalam" lang="ml" hreflang="ml" data-title="ക്രോസ് സൈറ്റ് സ്ക്രിപ്റ്റിംഗ്" data-language-autonym="മലയാളം" data-language-local-name="Malayalam" class="interlanguage-link-target"><span>മലയാളം</span></a></li><li class="interlanguage-link interwiki-mn mw-list-item"><a href="https://mn.wikipedia.org/wiki/Cross-site_scripting_(XSS)_%D1%85%D0%B0%D0%BB%D0%B4%D0%BB%D0%B0%D0%B3%D0%B0" title="Cross-site scripting (XSS) халдлага – Mongolian" lang="mn" hreflang="mn" data-title="Cross-site scripting (XSS) халдлага" data-language-autonym="Монгол" data-language-local-name="Mongolian" class="interlanguage-link-target"><span>Монгол</span></a></li><li class="interlanguage-link interwiki-my mw-list-item"><a href="https://my.wikipedia.org/wiki/XSS" title="XSS – Burmese" lang="my" hreflang="my" data-title="XSS" data-language-autonym="မြန်မာဘာသာ" data-language-local-name="Burmese" class="interlanguage-link-target"><span>မြန်မာဘာသာ</span></a></li><li class="interlanguage-link interwiki-nl mw-list-item"><a href="https://nl.wikipedia.org/wiki/Cross-site_scripting" title="Cross-site scripting – Dutch" lang="nl" hreflang="nl" data-title="Cross-site scripting" data-language-autonym="Nederlands" data-language-local-name="Dutch" class="interlanguage-link-target"><span>Nederlands</span></a></li><li class="interlanguage-link interwiki-ja mw-list-item"><a href="https://ja.wikipedia.org/wiki/%E3%82%AF%E3%83%AD%E3%82%B9%E3%82%B5%E3%82%A4%E3%83%88%E3%82%B9%E3%82%AF%E3%83%AA%E3%83%97%E3%83%86%E3%82%A3%E3%83%B3%E3%82%B0" title="クロスサイトスクリプティング – Japanese" lang="ja" hreflang="ja" data-title="クロスサイトスクリプティング" data-language-autonym="日本語" data-language-local-name="Japanese" class="interlanguage-link-target"><span>日本語</span></a></li><li class="interlanguage-link interwiki-no mw-list-item"><a href="https://no.wikipedia.org/wiki/Cross-site_scripting" title="Cross-site scripting – Norwegian Bokmål" lang="nb" hreflang="nb" data-title="Cross-site scripting" data-language-autonym="Norsk bokmål" data-language-local-name="Norwegian Bokmål" class="interlanguage-link-target"><span>Norsk bokmål</span></a></li><li class="interlanguage-link interwiki-or mw-list-item"><a href="https://or.wikipedia.org/wiki/%E0%AC%95%E0%AD%8D%E0%AC%B0%E0%AC%B8_%E0%AC%B8%E0%AC%BE%E0%AC%87%E0%AC%9F%E0%AD%8D_%E0%AC%B8%E0%AD%8D%E0%AC%95%E0%AD%8D%E0%AC%B0%E0%AC%BF%E0%AC%AA%E0%AC%9F%E0%AC%BF%E0%AC%82" title="କ୍ରସ ସାଇଟ୍ ସ୍କ୍ରିପଟିଂ – Odia" lang="or" hreflang="or" data-title="କ୍ରସ ସାଇଟ୍ ସ୍କ୍ରିପଟିଂ" data-language-autonym="ଓଡ଼ିଆ" data-language-local-name="Odia" class="interlanguage-link-target"><span>ଓଡ଼ିଆ</span></a></li><li class="interlanguage-link interwiki-pl mw-list-item"><a href="https://pl.wikipedia.org/wiki/Cross-site_scripting" title="Cross-site scripting – Polish" lang="pl" hreflang="pl" data-title="Cross-site scripting" data-language-autonym="Polski" data-language-local-name="Polish" class="interlanguage-link-target"><span>Polski</span></a></li><li class="interlanguage-link interwiki-pt mw-list-item"><a href="https://pt.wikipedia.org/wiki/Cross-site_scripting" title="Cross-site scripting – Portuguese" lang="pt" hreflang="pt" data-title="Cross-site scripting" data-language-autonym="Português" data-language-local-name="Portuguese" class="interlanguage-link-target"><span>Português</span></a></li><li class="interlanguage-link interwiki-ru badge-Q17559452 badge-recommendedarticle mw-list-item" title="recommended article"><a href="https://ru.wikipedia.org/wiki/%D0%9C%D0%B5%D0%B6%D1%81%D0%B0%D0%B9%D1%82%D0%BE%D0%B2%D1%8B%D0%B9_%D1%81%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D0%B8%D0%BD%D0%B3" title="Межсайтовый скриптинг – Russian" lang="ru" hreflang="ru" data-title="Межсайтовый скриптинг" data-language-autonym="Русский" data-language-local-name="Russian" class="interlanguage-link-target"><span>Русский</span></a></li><li class="interlanguage-link interwiki-simple mw-list-item"><a href="https://simple.wikipedia.org/wiki/Cross-site_scripting" title="Cross-site scripting – Simple English" lang="en-simple" hreflang="en-simple" data-title="Cross-site scripting" data-language-autonym="Simple English" data-language-local-name="Simple English" class="interlanguage-link-target"><span>Simple English</span></a></li><li class="interlanguage-link interwiki-sk mw-list-item"><a href="https://sk.wikipedia.org/wiki/Cross-site_scripting" title="Cross-site scripting – Slovak" lang="sk" hreflang="sk" data-title="Cross-site scripting" data-language-autonym="Slovenčina" data-language-local-name="Slovak" class="interlanguage-link-target"><span>Slovenčina</span></a></li><li class="interlanguage-link interwiki-sr mw-list-item"><a href="https://sr.wikipedia.org/wiki/Cross-site_scripting" title="Cross-site scripting – Serbian" lang="sr" hreflang="sr" data-title="Cross-site scripting" data-language-autonym="Српски / srpski" data-language-local-name="Serbian" class="interlanguage-link-target"><span>Српски / srpski</span></a></li><li class="interlanguage-link interwiki-fi mw-list-item"><a href="https://fi.wikipedia.org/wiki/Cross-site_scripting" title="Cross-site scripting – Finnish" lang="fi" hreflang="fi" data-title="Cross-site scripting" data-language-autonym="Suomi" data-language-local-name="Finnish" class="interlanguage-link-target"><span>Suomi</span></a></li><li class="interlanguage-link interwiki-sv mw-list-item"><a href="https://sv.wikipedia.org/wiki/Cross_site_scripting" title="Cross site scripting – Swedish" lang="sv" hreflang="sv" data-title="Cross site scripting" data-language-autonym="Svenska" data-language-local-name="Swedish" class="interlanguage-link-target"><span>Svenska</span></a></li><li class="interlanguage-link interwiki-tr mw-list-item"><a href="https://tr.wikipedia.org/wiki/Siteler_aras%C4%B1_betik_%C3%A7al%C4%B1%C5%9Ft%C4%B1rma" title="Siteler arası betik çalıştırma – Turkish" lang="tr" hreflang="tr" data-title="Siteler arası betik çalıştırma" data-language-autonym="Türkçe" data-language-local-name="Turkish" class="interlanguage-link-target"><span>Türkçe</span></a></li><li class="interlanguage-link interwiki-uk mw-list-item"><a href="https://uk.wikipedia.org/wiki/%D0%9C%D1%96%D0%B6%D1%81%D0%B0%D0%B9%D1%82%D0%BE%D0%B2%D0%B8%D0%B9_%D1%81%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D0%B8%D0%BD%D0%B3" title="Міжсайтовий скриптинг – Ukrainian" lang="uk" hreflang="uk" data-title="Міжсайтовий скриптинг" data-language-autonym="Українська" data-language-local-name="Ukrainian" class="interlanguage-link-target"><span>Українська</span></a></li><li class="interlanguage-link interwiki-zh mw-list-item"><a href="https://zh.wikipedia.org/wiki/%E8%B7%A8%E7%B6%B2%E7%AB%99%E6%8C%87%E4%BB%A4%E7%A2%BC" title="跨網站指令碼 – Chinese" lang="zh" hreflang="zh" data-title="跨網站指令碼" data-language-autonym="中文" data-language-local-name="Chinese" class="interlanguage-link-target"><span>中文</span></a></li> </ul> <div class="after-portlet after-portlet-lang"><span class="wb-langlinks-edit wb-langlinks-link"><a href="https://www.wikidata.org/wiki/Special:EntityPage/Q371199#sitelinks-wikipedia" title="Edit interlanguage links" class="wbc-editpage">Edit links</a></span></div> </div> </div> </div> </header> <div class="vector-page-toolbar"> <div class="vector-page-toolbar-container"> <div id="left-navigation"> <nav aria-label="Namespaces"> <div id="p-associated-pages" class="vector-menu vector-menu-tabs mw-portlet mw-portlet-associated-pages" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-nstab-main" class="selected vector-tab-noicon mw-list-item"><a href="/wiki/Cross-site_scripting" title="View the content page [c]" accesskey="c"><span>Article</span></a></li><li id="ca-talk" class="vector-tab-noicon mw-list-item"><a href="/wiki/Talk:Cross-site_scripting" rel="discussion" title="Discuss improvements to the content page [t]" accesskey="t"><span>Talk</span></a></li> </ul> </div> </div> <div id="vector-variants-dropdown" class="vector-dropdown emptyPortlet" > <input type="checkbox" id="vector-variants-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-variants-dropdown" class="vector-dropdown-checkbox " aria-label="Change language variant" > <label id="vector-variants-dropdown-label" for="vector-variants-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet" aria-hidden="true" ><span class="vector-dropdown-label-text">English</span> </label> <div class="vector-dropdown-content"> <div id="p-variants" class="vector-menu mw-portlet mw-portlet-variants emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> </div> </div> </nav> </div> <div id="right-navigation" class="vector-collapsible"> <nav aria-label="Views"> <div id="p-views" class="vector-menu vector-menu-tabs mw-portlet mw-portlet-views" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-view" class="selected vector-tab-noicon mw-list-item"><a href="/wiki/Cross-site_scripting"><span>Read</span></a></li><li id="ca-edit" class="vector-tab-noicon mw-list-item"><a href="/w/index.php?title=Cross-site_scripting&action=edit" title="Edit this page [e]" accesskey="e"><span>Edit</span></a></li><li id="ca-history" class="vector-tab-noicon mw-list-item"><a href="/w/index.php?title=Cross-site_scripting&action=history" title="Past revisions of this page [h]" accesskey="h"><span>View history</span></a></li> </ul> </div> </div> </nav> <nav class="vector-page-tools-landmark" aria-label="Page tools"> <div id="vector-page-tools-dropdown" class="vector-dropdown vector-page-tools-dropdown" > <input type="checkbox" id="vector-page-tools-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-page-tools-dropdown" class="vector-dropdown-checkbox " aria-label="Tools" > <label id="vector-page-tools-dropdown-label" for="vector-page-tools-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet" aria-hidden="true" ><span class="vector-dropdown-label-text">Tools</span> </label> <div class="vector-dropdown-content"> <div id="vector-page-tools-unpinned-container" class="vector-unpinned-container"> <div id="vector-page-tools" class="vector-page-tools vector-pinnable-element"> <div class="vector-pinnable-header vector-page-tools-pinnable-header vector-pinnable-header-unpinned" data-feature-name="page-tools-pinned" data-pinnable-element-id="vector-page-tools" data-pinned-container-id="vector-page-tools-pinned-container" data-unpinned-container-id="vector-page-tools-unpinned-container" > <div class="vector-pinnable-header-label">Tools</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-page-tools.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-page-tools.unpin">hide</button> </div> <div id="p-cactions" class="vector-menu mw-portlet mw-portlet-cactions emptyPortlet vector-has-collapsible-items" title="More options" > <div class="vector-menu-heading"> Actions </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-more-view" class="selected vector-more-collapsible-item mw-list-item"><a href="/wiki/Cross-site_scripting"><span>Read</span></a></li><li id="ca-more-edit" class="vector-more-collapsible-item mw-list-item"><a href="/w/index.php?title=Cross-site_scripting&action=edit" title="Edit this page [e]" accesskey="e"><span>Edit</span></a></li><li id="ca-more-history" class="vector-more-collapsible-item mw-list-item"><a href="/w/index.php?title=Cross-site_scripting&action=history"><span>View history</span></a></li> </ul> </div> </div> <div id="p-tb" class="vector-menu mw-portlet mw-portlet-tb" > <div class="vector-menu-heading"> General </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="t-whatlinkshere" class="mw-list-item"><a href="/wiki/Special:WhatLinksHere/Cross-site_scripting" title="List of all English Wikipedia pages containing links to this page [j]" accesskey="j"><span>What links here</span></a></li><li id="t-recentchangeslinked" class="mw-list-item"><a href="/wiki/Special:RecentChangesLinked/Cross-site_scripting" rel="nofollow" title="Recent changes in pages linked from this page [k]" accesskey="k"><span>Related changes</span></a></li><li id="t-upload" class="mw-list-item"><a href="/wiki/Wikipedia:File_Upload_Wizard" title="Upload files [u]" accesskey="u"><span>Upload file</span></a></li><li id="t-specialpages" class="mw-list-item"><a href="/wiki/Special:SpecialPages" title="A list of all special pages [q]" accesskey="q"><span>Special pages</span></a></li><li id="t-permalink" class="mw-list-item"><a href="/w/index.php?title=Cross-site_scripting&oldid=1258701613" title="Permanent link to this revision of this page"><span>Permanent link</span></a></li><li id="t-info" class="mw-list-item"><a href="/w/index.php?title=Cross-site_scripting&action=info" title="More information about this page"><span>Page information</span></a></li><li id="t-cite" class="mw-list-item"><a href="/w/index.php?title=Special:CiteThisPage&page=Cross-site_scripting&id=1258701613&wpFormIdentifier=titleform" title="Information on how to cite this page"><span>Cite this page</span></a></li><li id="t-urlshortener" class="mw-list-item"><a href="/w/index.php?title=Special:UrlShortener&url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FCross-site_scripting"><span>Get shortened URL</span></a></li><li id="t-urlshortener-qrcode" class="mw-list-item"><a href="/w/index.php?title=Special:QrCode&url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FCross-site_scripting"><span>Download QR code</span></a></li> </ul> </div> </div> <div id="p-coll-print_export" class="vector-menu mw-portlet mw-portlet-coll-print_export" > <div class="vector-menu-heading"> Print/export </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="coll-download-as-rl" class="mw-list-item"><a href="/w/index.php?title=Special:DownloadAsPdf&page=Cross-site_scripting&action=show-download-screen" title="Download this page as a PDF file"><span>Download as PDF</span></a></li><li id="t-print" class="mw-list-item"><a href="/w/index.php?title=Cross-site_scripting&printable=yes" title="Printable version of this page [p]" accesskey="p"><span>Printable version</span></a></li> </ul> </div> </div> <div id="p-wikibase-otherprojects" class="vector-menu mw-portlet mw-portlet-wikibase-otherprojects" > <div class="vector-menu-heading"> In other projects </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li class="wb-otherproject-link wb-otherproject-commons mw-list-item"><a href="https://commons.wikimedia.org/wiki/Category:Cross-site_scripting" hreflang="en"><span>Wikimedia Commons</span></a></li><li class="wb-otherproject-link wb-otherproject-wikibooks mw-list-item"><a href="https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Cross-site_scripting_(XSS)" hreflang="en"><span>Wikibooks</span></a></li><li id="t-wikibase" class="wb-otherproject-link wb-otherproject-wikibase-dataitem mw-list-item"><a href="https://www.wikidata.org/wiki/Special:EntityPage/Q371199" title="Structured data on this page hosted by Wikidata [g]" accesskey="g"><span>Wikidata item</span></a></li> </ul> </div> </div> </div> </div> </div> </div> </nav> </div> </div> </div> <div class="vector-column-end"> <div class="vector-sticky-pinned-container"> <nav class="vector-page-tools-landmark" aria-label="Page tools"> <div id="vector-page-tools-pinned-container" class="vector-pinned-container"> </div> </nav> <nav class="vector-appearance-landmark" aria-label="Appearance"> <div id="vector-appearance-pinned-container" class="vector-pinned-container"> <div id="vector-appearance" class="vector-appearance vector-pinnable-element"> <div class="vector-pinnable-header vector-appearance-pinnable-header vector-pinnable-header-pinned" data-feature-name="appearance-pinned" data-pinnable-element-id="vector-appearance" data-pinned-container-id="vector-appearance-pinned-container" data-unpinned-container-id="vector-appearance-unpinned-container" > <div class="vector-pinnable-header-label">Appearance</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-appearance.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-appearance.unpin">hide</button> </div> </div> </div> </nav> </div> </div> <div id="bodyContent" class="vector-body" aria-labelledby="firstHeading" data-mw-ve-target-container> <div class="vector-body-before-content"> <div class="mw-indicators"> </div> <div id="siteSub" class="noprint">From Wikipedia, the free encyclopedia</div> </div> <div id="contentSub"><div id="mw-content-subtitle"></div></div> <div id="mw-content-text" class="mw-body-content"><div class="mw-content-ltr mw-parser-output" lang="en" dir="ltr"><div class="shortdescription nomobile noexcerpt noprint searchaux" style="display:none">Computer security vulnerability</div><style data-mw-deduplicate="TemplateStyles:r1236090951">.mw-parser-output .hatnote{font-style:italic}.mw-parser-output div.hatnote{padding-left:1.6em;margin-bottom:0.5em}.mw-parser-output .hatnote i{font-style:normal}.mw-parser-output .hatnote+link+.hatnote{margin-top:-0.5em}@media print{body.ns-0 .mw-parser-output .hatnote{display:none!important}}</style><div role="note" class="hatnote navigation-not-searchable">"XSS" redirects here. For other uses, see <a href="/wiki/XSS_(disambiguation)" class="mw-disambig" title="XSS (disambiguation)">XSS (disambiguation)</a>.</div> <p><b>Cross-site scripting</b> (<b>XSS</b>)<sup id="cite_ref-1" class="reference"><a href="#cite_note-1"><span class="cite-bracket">[</span>a<span class="cite-bracket">]</span></a></sup> is a type of security <a href="/wiki/Vulnerability_(computer_science)" class="mw-redirect" title="Vulnerability (computer science)">vulnerability</a> that can be found in some <a href="/wiki/Web_application" title="Web application">web applications</a>. XSS attacks enable attackers to <a href="/wiki/Code_injection" title="Code injection">inject</a> client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass <a href="/wiki/Access_control" title="Access control">access controls</a> such as the <a href="/wiki/Same-origin_policy" title="Same-origin policy">same-origin policy</a>. During the second half of 2007, XSSed documented 11,253 site-specific cross-site vulnerabilities, compared to 2,134 "traditional" vulnerabilities documented by <a href="/wiki/NortonLifeLock" class="mw-redirect" title="NortonLifeLock">Symantec</a>.<sup id="cite_ref-SIS_1_2-0" class="reference"><a href="#cite_note-SIS_1-2"><span class="cite-bracket">[</span>1<span class="cite-bracket">]</span></a></sup> XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner <a href="/wiki/Computer_network" title="Computer network">network</a>. </p><p><a href="/wiki/OWASP" title="OWASP">OWASP</a> considers the term cross-site scripting to be a <a href="/wiki/Misnomer" title="Misnomer">misnomer</a>. It initially was an attack that was used for breaching data across sites, but gradually started to include other forms of data injection attacks.<sup id="cite_ref-3" class="reference"><a href="#cite_note-3"><span class="cite-bracket">[</span>2<span class="cite-bracket">]</span></a></sup> </p> <meta property="mw:PageProp/toc" /> <div class="mw-heading mw-heading2"><h2 id="Background">Background</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Cross-site_scripting&action=edit&section=1" title="Edit section: Background"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1236090951"><div role="note" class="hatnote navigation-not-searchable">Main articles: <a href="/wiki/Web_security" class="mw-redirect" title="Web security">Web security</a> and <a href="/wiki/Same-origin_policy" title="Same-origin policy">Same-origin policy</a></div> <p>Security on the web depends on a variety of mechanisms, including an underlying concept of trust known as the <a href="/wiki/Same-origin_policy" title="Same-origin policy">same-origin policy</a>. This states that if content from one site (such as <i>https://mybank.example1.com</i>) is granted permission to access resources (like cookies etc.) on a web browser, then content from any URL with the same (1) <a href="/wiki/URI_scheme" class="mw-redirect" title="URI scheme">URI scheme</a> (e.g. ftp, http, or https), (2) <a href="/wiki/Host_name" class="mw-redirect" title="Host name">host name</a>, <i>and</i> (3) <a href="/wiki/Port_number" class="mw-redirect" title="Port number">port number</a> will share these permissions. Content from URLs where any of these three attributes are different will have to be granted permissions separately.<sup id="cite_ref-4" class="reference"><a href="#cite_note-4"><span class="cite-bracket">[</span>3<span class="cite-bracket">]</span></a></sup> </p><p>Cross-site scripting attacks use known vulnerabilities in <a href="/wiki/Web_application" title="Web application">web-based applications</a>, their <a href="/wiki/Server_(computing)" title="Server (computing)">servers</a>, or the plug-in systems on which they rely. Exploiting one of these, attackers fold malicious content into the content being delivered from the compromised site. When the resulting combined content arrives at the client-side web browser, it has all been delivered from the trusted source, and thus operates under the permissions granted to that system. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, to session cookies, and to a variety of other information maintained by the browser on behalf of the user. Cross-site scripting attacks are a case of <a href="/wiki/Code_injection" title="Code injection">code injection</a>. </p><p><a href="/wiki/Microsoft" title="Microsoft">Microsoft</a> security-engineers introduced the term "cross-site scripting" in January 2000.<sup id="cite_ref-xssname_5-0" class="reference"><a href="#cite_note-xssname-5"><span class="cite-bracket">[</span>4<span class="cite-bracket">]</span></a></sup><sup class="noprint Inline-Template noprint Template-Fact" style="white-space:nowrap;">[<i><a href="/wiki/Wikipedia:No_original_research#Primary,_secondary_and_tertiary_sources" title="Wikipedia:No original research"><span title="This claim needs references to reliable secondary sources. (October 2024)">non-primary source needed</span></a></i>]</sup> The expression "cross-site scripting" originally referred to the act of loading the attacked, third-party web application from an unrelated attack-site, in a manner that executes a fragment of JavaScript prepared by the attacker in the <a href="/wiki/Same-origin_policy" title="Same-origin policy">security context</a> of the targeted domain (taking advantage of a <i>reflected</i> or <i>non-persistent</i> XSS vulnerability). The definition gradually expanded to encompass other modes of code injection, including persistent and non-JavaScript vectors (including <a href="/wiki/ActiveX" title="ActiveX">ActiveX</a>, <a href="/wiki/Java_(programming_language)" title="Java (programming language)">Java</a>, <a href="/wiki/VBScript" title="VBScript">VBScript</a>, <a href="/wiki/Adobe_Flash" title="Adobe Flash">Flash</a>, or even <a href="/wiki/HTML" title="HTML">HTML</a> scripts), causing some confusion to newcomers to the field of <a href="/wiki/Information_security" title="Information security">information security</a>.<sup id="cite_ref-Grossman_6-0" class="reference"><a href="#cite_note-Grossman-6"><span class="cite-bracket">[</span>5<span class="cite-bracket">]</span></a></sup> </p><p>XSS vulnerabilities have been reported and exploited since the 1990s. Prominent sites affected in the past include the social-networking sites <a href="/wiki/Twitter" title="Twitter">Twitter</a><sup id="cite_ref-7" class="reference"><a href="#cite_note-7"><span class="cite-bracket">[</span>6<span class="cite-bracket">]</span></a></sup> and <a href="/wiki/Facebook" title="Facebook">Facebook</a>.<sup id="cite_ref-8" class="reference"><a href="#cite_note-8"><span class="cite-bracket">[</span>7<span class="cite-bracket">]</span></a></sup> Cross-site scripting flaws have since surpassed <a href="/wiki/Buffer_overflow" title="Buffer overflow">buffer overflows</a> to become the most common publicly reported security vulnerability,<sup id="cite_ref-9" class="reference"><a href="#cite_note-9"><span class="cite-bracket">[</span>8<span class="cite-bracket">]</span></a></sup> with some researchers in 2007 estimating as many as 68% of websites are likely open to XSS attacks.<sup id="cite_ref-10" class="reference"><a href="#cite_note-10"><span class="cite-bracket">[</span>9<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading2"><h2 id="Types">Types</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Cross-site_scripting&action=edit&section=2" title="Edit section: Types"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>There is no single, standardized classification of cross-site scripting flaws, but most experts distinguish between at least two primary flavors of XSS flaws: <i>non-persistent</i> and <i>persistent</i>. Some sources further divide these two groups into <i>traditional</i> (caused by server-side code flaws) and <i><a href="/wiki/Document_Object_Model" title="Document Object Model">DOM</a>-based</i> (in client-side code). </p> <div class="mw-heading mw-heading3"><h3 id="Non-persistent_(reflected)"><span id="Non-persistent_.28reflected.29"></span>Non-persistent (reflected)</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Cross-site_scripting&action=edit&section=3" title="Edit section: Non-persistent (reflected)"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>The <i>non-persistent</i> (or <i>reflected</i>) cross-site scripting vulnerability is by far the most basic type of web vulnerability.<sup id="cite_ref-HopeWalther_11-0" class="reference"><a href="#cite_note-HopeWalther-11"><span class="cite-bracket">[</span>10<span class="cite-bracket">]</span></a></sup> These holes show up when the data provided by a web client,<sup id="cite_ref-12" class="reference"><a href="#cite_note-12"><span class="cite-bracket">[</span>11<span class="cite-bracket">]</span></a></sup> most commonly in HTTP query parameters (e.g. HTML form submission), is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly <a href="/wiki/HTML_sanitization" title="HTML sanitization">sanitizing</a> the content.<sup id="cite_ref-WASC-2005_13-0" class="reference"><a href="#cite_note-WASC-2005-13"><span class="cite-bracket">[</span>12<span class="cite-bracket">]</span></a></sup> </p><p>Because HTML documents have a flat, serial structure that mixes control statements, formatting, and the actual content, any non-validated user-supplied data included in the resulting page without proper HTML encoding, may lead to markup injection.<sup id="cite_ref-HopeWalther_11-1" class="reference"><a href="#cite_note-HopeWalther-11"><span class="cite-bracket">[</span>10<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-WASC-2005_13-1" class="reference"><a href="#cite_note-WASC-2005-13"><span class="cite-bracket">[</span>12<span class="cite-bracket">]</span></a></sup> A classic example of a potential vector is a site search engine: if one searches for a string, the search string will typically be redisplayed verbatim on the result page to indicate what was searched for. If this response does not properly <a href="/wiki/Escape_character" title="Escape character">escape</a> or reject HTML control characters, a cross-site scripting flaw will ensue.<sup id="cite_ref-GHFPR_14-0" class="reference"><a href="#cite_note-GHFPR-14"><span class="cite-bracket">[</span>13<span class="cite-bracket">]</span></a></sup> </p><p>A reflected attack is typically delivered via email or a neutral web site. The bait is an innocent-looking URL, pointing to a trusted site but containing the XSS vector. If the trusted site is vulnerable to the vector, clicking the link can cause the victim's browser to execute the injected script. </p> <div class="mw-heading mw-heading3"><h3 id="Persistent_(or_stored)"><span id="Persistent_.28or_stored.29"></span>Persistent (or stored)</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Cross-site_scripting&action=edit&section=4" title="Edit section: Persistent (or stored)"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>The <i>persistent</i> (or <i>stored</i>) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read.<sup id="cite_ref-WASC-2005_13-2" class="reference"><a href="#cite_note-WASC-2005-13"><span class="cite-bracket">[</span>12<span class="cite-bracket">]</span></a></sup> </p><p>For example, suppose there is a dating website where members scan the profiles of other members to see if they look interesting. For privacy reasons, this site hides everybody's real name and email. These are kept secret on the server. The only time a member's real name and <a href="/wiki/Email" title="Email">email</a> are in the browser is when the member is <a href="/wiki/Login" title="Login">signed in</a>, and they can't see anyone else's. </p><p>Suppose that Mallory, an attacker, joins the site and wants to figure out the real names of the people she sees on the site. To do so, she writes a script designed to run from other users' browsers when <i>they</i> visit <i>her</i> profile. The script then sends a quick message to her own server, which collects this information. </p><p>To do this, for the question "Describe your Ideal First Date", Mallory gives a short answer (to appear normal), but the text at the end of her answer is her script to steal names and emails. If the script is enclosed inside a <code><script></code> element, it won't be shown on the screen. Then suppose that Bob, a member of the dating site, reaches Mallory's profile, which has her answer to the First Date question. Her script is run automatically by the browser and steals a copy of Bob's real name and email directly from his own machine. </p><p>Persistent XSS vulnerabilities can be more significant than other types because an attacker's malicious script is rendered automatically, without the need to individually target victims or lure them to a third-party website. Particularly in the case of social networking sites, the code would be further designed to self-propagate across accounts, creating a type of client-side <a href="/wiki/Computer_worm" title="Computer worm">worm</a>.<sup id="cite_ref-15" class="reference"><a href="#cite_note-15"><span class="cite-bracket">[</span>14<span class="cite-bracket">]</span></a></sup> </p><p>The methods of injection can vary a great deal; in some cases, the attacker may not even need to directly interact with the web functionality itself to exploit such a hole. Any data received by the web application (via email, system logs, IM etc.) that can be controlled by an attacker could become an injection vector. </p> <div class="mw-heading mw-heading3"><h3 id="Server-side_versus_DOM-based_vulnerabilities">Server-side versus DOM-based vulnerabilities</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Cross-site_scripting&action=edit&section=5" title="Edit section: Server-side versus DOM-based vulnerabilities"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>XSS vulnerabilities were originally found in applications that performed all data processing on the server side. User input (including an XSS vector) would be sent to the server, and then sent back to the user as a web page. The need for an improved user experience resulted in popularity of applications that had a majority of the presentation logic (maybe written in <a href="/wiki/JavaScript" title="JavaScript">JavaScript</a>) working on the client-side that pulled data, on-demand, from the server using <a href="/wiki/AJAX" class="mw-redirect" title="AJAX">AJAX</a>. </p><p>As the JavaScript code was also processing user input and rendering it in the web page content, a new sub-class of reflected XSS attacks started to appear that was called <i><a href="/wiki/Document_Object_Model" title="Document Object Model">DOM</a>-based cross-site scripting</i>. In a DOM-based XSS attack, the malicious data does not touch the web server. Rather, it is being reflected by the JavaScript code, fully on the client side.<sup id="cite_ref-16" class="reference"><a href="#cite_note-16"><span class="cite-bracket">[</span>15<span class="cite-bracket">]</span></a></sup> </p><p>An example of a DOM-based XSS vulnerability is the bug found in 2011 in a number of <a href="/wiki/JQuery" title="JQuery">jQuery</a> plugins.<sup id="cite_ref-17" class="reference"><a href="#cite_note-17"><span class="cite-bracket">[</span>16<span class="cite-bracket">]</span></a></sup> Prevention strategies for DOM-based XSS attacks include very similar measures to traditional XSS prevention strategies but implemented in <a href="/wiki/JavaScript" title="JavaScript">JavaScript</a> code and contained in web pages (i.e. input validation and escaping).<sup id="cite_ref-18" class="reference"><a href="#cite_note-18"><span class="cite-bracket">[</span>17<span class="cite-bracket">]</span></a></sup> Some <a href="/wiki/JavaScript_library" title="JavaScript library">JavaScript frameworks</a> have built-in countermeasures against this and other types of attack — for example <a href="/wiki/AngularJS" title="AngularJS">AngularJS</a>.<sup id="cite_ref-19" class="reference"><a href="#cite_note-19"><span class="cite-bracket">[</span>18<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Self-XSS">Self-XSS</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Cross-site_scripting&action=edit&section=6" title="Edit section: Self-XSS"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1236090951"><div role="note" class="hatnote navigation-not-searchable">Main article: <a href="/wiki/Self-XSS" title="Self-XSS">Self-XSS</a></div> <p><a href="/wiki/Self-XSS" title="Self-XSS">Self-XSS</a> is a form of XSS vulnerability that relies on <a href="/wiki/Social_engineering_(security)" title="Social engineering (security)">social engineering</a> in order to trick the victim into executing malicious JavaScript code in their browser. Although it is technically not a true XSS vulnerability due to the fact it relies on socially engineering a user into executing code rather than a flaw in the affected website allowing an attacker to do so, it still poses the same risks as a regular XSS vulnerability if properly executed.<sup id="cite_ref-20" class="reference"><a href="#cite_note-20"><span class="cite-bracket">[</span>19<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Mutated_XSS_(mXSS)"><span id="Mutated_XSS_.28mXSS.29"></span>Mutated XSS (mXSS)</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Cross-site_scripting&action=edit&section=7" title="Edit section: Mutated XSS (mXSS)"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Mutated XSS happens when the attacker injects something that is seemingly safe but is rewritten and modified by the browser while parsing the markup. This makes it extremely hard to detect or sanitize within the website's application logic. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters on parameters to CSS font-family. </p> <div class="mw-heading mw-heading2"><h2 id="Preventive_measures">Preventive measures</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Cross-site_scripting&action=edit&section=8" title="Edit section: Preventive measures"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <div class="mw-heading mw-heading3"><h3 id="Contextual_output_encoding/escaping_of_string_input"><span id="Contextual_output_encoding.2Fescaping_of_string_input"></span>Contextual output encoding/escaping of string input</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Cross-site_scripting&action=edit&section=9" title="Edit section: Contextual output encoding/escaping of string input"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>There are several escaping schemes that can be used depending on where the untrusted string needs to be placed within an HTML document including HTML entity encoding, JavaScript escaping, CSS escaping, and <a href="/wiki/Percent-encoding" title="Percent-encoding">URL (or percent) encoding</a>.<sup id="cite_ref-OWASP_21-0" class="reference"><a href="#cite_note-OWASP-21"><span class="cite-bracket">[</span>20<span class="cite-bracket">]</span></a></sup> Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS attacks in a fairly straightforward manner. </p><p>Performing HTML entity encoding only on the <a href="/wiki/List_of_XML_and_HTML_character_entity_references#Predefined_entities_in_XML" title="List of XML and HTML character entity references">five XML significant characters</a> is not always sufficient to prevent many forms of XSS attacks, security encoding libraries are usually easier to use.<sup id="cite_ref-OWASP_21-1" class="reference"><a href="#cite_note-OWASP-21"><span class="cite-bracket">[</span>20<span class="cite-bracket">]</span></a></sup> </p><p>Some <a href="/wiki/Web_template_system" title="Web template system">web template systems</a> understand the structure of the HTML they produce and automatically pick an appropriate encoder.<sup id="cite_ref-22" class="reference"><a href="#cite_note-22"><span class="cite-bracket">[</span>21<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-23" class="reference"><a href="#cite_note-23"><span class="cite-bracket">[</span>22<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-24" class="reference"><a href="#cite_note-24"><span class="cite-bracket">[</span>23<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Safely_validating_untrusted_HTML_input">Safely validating untrusted HTML input</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Cross-site_scripting&action=edit&section=10" title="Edit section: Safely validating untrusted HTML input"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Many operators of particular web applications (e.g. forums and webmail) allow users to utilize a limited subset of HTML markup. When accepting HTML input from users (say, <code><b>very</b> large</code>), output encoding (such as <code>&lt;b&gt;very&lt;/b&gt; large</code>) will not suffice since the user input needs to be rendered as HTML by the browser (so it shows as "<b>very</b> large", instead of "<b>very</b> large"). Stopping an XSS attack when accepting HTML input from users is much more complex in this situation. Untrusted HTML input must be run through an <a href="/wiki/HTML_sanitization" title="HTML sanitization">HTML sanitization</a> engine to ensure that it does not contain XSS code. </p><p>Many validations rely on parsing out (blacklisting) specific "at risk" HTML tags such as the <a href="/wiki/IFRAME" class="mw-redirect" title="IFRAME">iframe tag</a>, link and the script tag. </p><p>There are several issues with this approach, for example sometimes seemingly harmless tags can be left out which when utilized correctly can still result in an XSS </p><p>Another popular method is to strip user input of " and ' however this can also be bypassed as the payload can be concealed with <a href="/wiki/Obfuscation" title="Obfuscation">obfuscation</a>. </p> <div class="mw-heading mw-heading3"><h3 id="Cookie_security">Cookie security</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Cross-site_scripting&action=edit&section=11" title="Edit section: Cookie security"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1236090951"><div role="note" class="hatnote navigation-not-searchable">Further information: <a href="/wiki/HTTP_cookie" title="HTTP cookie">HTTP cookie</a></div> <p>Besides content filtering, other imperfect methods for cross-site scripting mitigation are also commonly used. One example is the use of additional security controls when handling <a href="/wiki/HTTP_cookie" title="HTTP cookie">cookie</a>-based user authentication. Many web applications rely on session cookies for authentication between individual HTTP requests, and because client-side scripts generally have access to these cookies, simple XSS exploits can steal these cookies.<sup id="cite_ref-Sharma_25-0" class="reference"><a href="#cite_note-Sharma-25"><span class="cite-bracket">[</span>24<span class="cite-bracket">]</span></a></sup> To mitigate this particular threat (though not the XSS problem in general), many web applications tie session cookies to the IP address of the user who originally logged in, then only permit that IP to use that cookie.<sup id="cite_ref-ModSecurity_26-0" class="reference"><a href="#cite_note-ModSecurity-26"><span class="cite-bracket">[</span>25<span class="cite-bracket">]</span></a></sup> This is effective in most situations (if an attacker is only after the cookie), but obviously breaks down in situations where an attacker is behind the same <a href="/wiki/Network_address_translation" title="Network address translation">NATed</a> IP address or <a href="/wiki/Web_proxy" class="mw-redirect" title="Web proxy">web proxy</a> as the victim, or the victim is changing his or her <a href="/wiki/Mobile_IP" title="Mobile IP">mobile IP</a>.<sup id="cite_ref-ModSecurity_26-1" class="reference"><a href="#cite_note-ModSecurity-26"><span class="cite-bracket">[</span>25<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading4"><h4 id="Http-only_cookie">Http-only cookie</h4><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Cross-site_scripting&action=edit&section=12" title="Edit section: Http-only cookie"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1236090951"><div role="note" class="hatnote navigation-not-searchable">Main article: <a href="/wiki/Http-only_cookie" class="mw-redirect" title="Http-only cookie">Http-only cookie</a></div> <p>Another mitigation present in <a href="/wiki/Internet_Explorer" title="Internet Explorer">Internet Explorer</a> (since version 6), <a href="/wiki/Firefox" title="Firefox">Firefox</a> (since version 2.0.0.5), <a href="/wiki/Safari_(web_browser)" title="Safari (web browser)">Safari</a> (since version 4), <a href="/wiki/Opera_(web_browser)" title="Opera (web browser)">Opera</a> (since version 9.5) and <a href="/wiki/Google_Chrome" title="Google Chrome">Google Chrome</a>, is an <i>HttpOnly</i> flag which allows a web server to set a cookie that is unavailable to client-side scripts. While beneficial, the feature can neither fully prevent cookie theft nor prevent attacks within the browser.<sup id="cite_ref-27" class="reference"><a href="#cite_note-27"><span class="cite-bracket">[</span>26<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Disabling_scripts">Disabling scripts</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Cross-site_scripting&action=edit&section=13" title="Edit section: Disabling scripts"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>While <a href="/wiki/Web_2.0" title="Web 2.0">Web 2.0</a> and <a href="/wiki/Ajax_(programming)" title="Ajax (programming)">Ajax</a> developers require the use of JavaScript,<sup id="cite_ref-28" class="reference"><a href="#cite_note-28"><span class="cite-bracket">[</span>27<span class="cite-bracket">]</span></a></sup> some web applications are written to allow operation without the need for any client-side scripts.<sup id="cite_ref-29" class="reference"><a href="#cite_note-29"><span class="cite-bracket">[</span>28<span class="cite-bracket">]</span></a></sup> This allows users, if they choose, to disable scripting in their browsers before using the application. In this way, even potentially malicious client-side scripts could be inserted unescaped on a page, and users would not be susceptible to XSS attacks. </p><p>Some browsers or browser plugins can be configured to disable client-side scripts on a per-domain basis. This approach is of limited value if scripting is allowed by default, since it blocks bad sites only <i>after</i> the user knows that they are bad, which is too late. Functionality that blocks all scripting and external inclusions by default and then allows the user to enable it on a per-domain basis is more effective. This has been possible for a long time in Internet Explorer (since version 4) by setting up its so called "Security Zones",<sup id="cite_ref-30" class="reference"><a href="#cite_note-30"><span class="cite-bracket">[</span>29<span class="cite-bracket">]</span></a></sup> and in Opera (since version 9) using its "Site Specific Preferences".<sup id="cite_ref-31" class="reference"><a href="#cite_note-31"><span class="cite-bracket">[</span>30<span class="cite-bracket">]</span></a></sup> A solution for Firefox and other <a href="/wiki/Gecko_(layout_engine)" class="mw-redirect" title="Gecko (layout engine)">Gecko</a>-based browsers is the open source <a href="/wiki/NoScript" title="NoScript">NoScript</a> add-on which, in addition to the ability to enable scripts on a per-domain basis, provides some XSS protection even when scripts are enabled.<sup id="cite_ref-32" class="reference"><a href="#cite_note-32"><span class="cite-bracket">[</span>31<span class="cite-bracket">]</span></a></sup> </p><p>The most significant problem with blocking all scripts on all websites by default is substantial reduction in functionality and responsiveness (client-side scripting can be much faster than server-side scripting because it does not need to connect to a remote server and the page or <a href="/wiki/Frame_(World_Wide_Web)" title="Frame (World Wide Web)">frame</a> does not need to be reloaded).<sup id="cite_ref-33" class="reference"><a href="#cite_note-33"><span class="cite-bracket">[</span>32<span class="cite-bracket">]</span></a></sup> Another problem with script blocking is that many users do not understand it, and do not know how to properly secure their browsers. Yet another drawback is that many sites do not work without client-side scripting, forcing users to disable protection for that site and opening their systems to vulnerabilities.<sup id="cite_ref-34" class="reference"><a href="#cite_note-34"><span class="cite-bracket">[</span>33<span class="cite-bracket">]</span></a></sup> The Firefox NoScript extension enables users to allow scripts selectively from a given page while disallowing others on the same page. For example, scripts from example.com could be allowed, while scripts from advertisingagency.com that are attempting to run on the same page could be disallowed.<sup id="cite_ref-35" class="reference"><a href="#cite_note-35"><span class="cite-bracket">[</span>34<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Selectively_disabling_scripts">Selectively disabling scripts</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Cross-site_scripting&action=edit&section=14" title="Edit section: Selectively disabling scripts"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <div class="mw-heading mw-heading4"><h4 id="Content_Security_Policy">Content Security Policy</h4><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Cross-site_scripting&action=edit&section=15" title="Edit section: Content Security Policy"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1236090951"><div role="note" class="hatnote navigation-not-searchable">Main article: <a href="/wiki/Content_Security_Policy" title="Content Security Policy">Content Security Policy</a></div> <p><a href="/wiki/Content_Security_Policy" title="Content Security Policy">Content Security Policy</a> (CSP) allows HTML documents to opt in to disabling some scripts while leaving others enabled.<sup id="cite_ref-36" class="reference"><a href="#cite_note-36"><span class="cite-bracket">[</span>35<span class="cite-bracket">]</span></a></sup> The browser checks each script against a policy before deciding whether to run it. As long as the policy only allows trustworthy scripts and disallows <a href="/wiki/Eval" title="Eval">dynamic code loading</a>, the browser will not run programs from untrusted authors regardless of the HTML document's structure. </p><p>Modern CSP policies allow using <a href="/wiki/Cryptographic_nonce" title="Cryptographic nonce">nonces</a> to mark scripts in the HTML document as safe to run instead of keeping the policy entirely separate from the page content.<sup id="cite_ref-37" class="reference"><a href="#cite_note-37"><span class="cite-bracket">[</span>36<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-38" class="reference"><a href="#cite_note-38"><span class="cite-bracket">[</span>37<span class="cite-bracket">]</span></a></sup> As long as trusted nonces only appear on trustworthy scripts, the browser will not run programs from untrusted authors. Some large application providers report having successfully deployed nonce-based policies.<sup id="cite_ref-39" class="reference"><a href="#cite_note-39"><span class="cite-bracket">[</span>38<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-OR_1_40-0" class="reference"><a href="#cite_note-OR_1-40"><span class="cite-bracket">[</span>39<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Emerging_defensive_technologies">Emerging defensive technologies</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Cross-site_scripting&action=edit&section=16" title="Edit section: Emerging defensive technologies"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Trusted types<sup id="cite_ref-41" class="reference"><a href="#cite_note-41"><span class="cite-bracket">[</span>40<span class="cite-bracket">]</span></a></sup> changes <a href="/wiki/Web_API" title="Web API">Web APIs</a> to check that values have been <a href="/wiki/Trademark_(computer_security)" title="Trademark (computer security)">trademarked</a> as trusted.  As long as programs only trademark trustworthy values, an attacker who controls a JavaScript <a href="/wiki/String_(computer_science)" title="String (computer science)">string value</a> cannot cause XSS.  Trusted types are designed to be <a href="/wiki/Information_security_audit" title="Information security audit">auditable</a> by <a href="/wiki/Blue_team_(computer_security)" title="Blue team (computer security)">blue teams</a>. </p><p>Another defense approach is to use automated tools that will remove XSS malicious code in web pages, these tools use <a href="/wiki/Static_program_analysis" title="Static program analysis">static analysis</a> and/or pattern matching methods to identify malicious codes potentially and secure them using methods like escaping.<sup id="cite_ref-42" class="reference"><a href="#cite_note-42"><span class="cite-bracket">[</span>41<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="SameSite_cookie_parameter">SameSite cookie parameter</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Cross-site_scripting&action=edit&section=17" title="Edit section: SameSite cookie parameter"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1236090951"><div role="note" class="hatnote navigation-not-searchable">Main article: <a href="/wiki/Same-site_cookie" class="mw-redirect" title="Same-site cookie">Same-site cookie</a></div> <p>When a cookie is set with the <code>SameSite=Strict</code> parameter, it is stripped from all cross-origin requests. When set with <code>SameSite=Lax</code>, it is stripped from all non-"safe" cross-origin requests (that is, requests other than GET, OPTIONS, and TRACE which have read-only semantics).<sup id="cite_ref-43" class="reference"><a href="#cite_note-43"><span class="cite-bracket">[</span>42<span class="cite-bracket">]</span></a></sup> The feature is implemented in <a href="/wiki/Google_Chrome" title="Google Chrome">Google Chrome</a> since version 63 and <a href="/wiki/Firefox" title="Firefox">Firefox</a> since version 60.<sup id="cite_ref-44" class="reference"><a href="#cite_note-44"><span class="cite-bracket">[</span>43<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading2"><h2 id="Notable_Incidents">Notable Incidents</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Cross-site_scripting&action=edit&section=18" title="Edit section: Notable Incidents"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><a href="/wiki/British_Airways_data_breach" title="British Airways data breach">British Airways data breach</a> (2018)</li></ul> <div class="mw-heading mw-heading2"><h2 id="See_also">See also</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Cross-site_scripting&action=edit&section=19" title="Edit section: See also"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><a href="/wiki/Web_application_security" class="mw-redirect" title="Web application security">Web application security</a></li> <li><a href="/wiki/Internet_security" title="Internet security">Internet security</a></li> <li><a href="/wiki/XML_external_entity" class="mw-redirect" title="XML external entity">XML external entity</a></li> <li><a href="/wiki/Browser_security" title="Browser security">Browser security</a></li> <li><a href="/wiki/Metasploit_Project" class="mw-redirect" title="Metasploit Project">Metasploit Project</a>, an open-source penetration testing tool that includes tests for XSS</li> <li><a href="/wiki/W3af" title="W3af">w3af</a>, an open-source <a href="/wiki/Web_application_security_scanner" class="mw-redirect" title="Web application security scanner">web application security scanner</a></li> <li>DOMPurify, a <a href="/wiki/Free_and_open_source" class="mw-redirect" title="Free and open source">free and open source</a> code library by <a href="/wiki/Cure53" title="Cure53">Cure53</a> to reduce susceptibility to XSS vulnerabilities in websites.</li> <li><a href="/wiki/Cross-document_messaging" class="mw-redirect" title="Cross-document messaging">Cross-document messaging</a></li> <li><a href="/wiki/Samy_(computer_worm)" title="Samy (computer worm)">Samy (computer worm)</a></li> <li><a href="/wiki/Parameter_validation" title="Parameter validation">Parameter validation</a></li></ul> <div class="mw-heading mw-heading2"><h2 id="Footnotes">Footnotes</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Cross-site_scripting&action=edit&section=20" title="Edit section: Footnotes"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <style data-mw-deduplicate="TemplateStyles:r1239543626">.mw-parser-output .reflist{margin-bottom:0.5em;list-style-type:decimal}@media screen{.mw-parser-output .reflist{font-size:90%}}.mw-parser-output .reflist .references{font-size:100%;margin-bottom:0;list-style-type:inherit}.mw-parser-output .reflist-columns-2{column-width:30em}.mw-parser-output .reflist-columns-3{column-width:25em}.mw-parser-output .reflist-columns{margin-top:0.3em}.mw-parser-output .reflist-columns ol{margin-top:0}.mw-parser-output .reflist-columns li{page-break-inside:avoid;break-inside:avoid-column}.mw-parser-output .reflist-upper-alpha{list-style-type:upper-alpha}.mw-parser-output .reflist-upper-roman{list-style-type:upper-roman}.mw-parser-output .reflist-lower-alpha{list-style-type:lower-alpha}.mw-parser-output .reflist-lower-greek{list-style-type:lower-greek}.mw-parser-output .reflist-lower-roman{list-style-type:lower-roman}</style><div class="reflist reflist-lower-alpha"> <div class="mw-references-wrap"><ol class="references"> <li id="cite_note-1"><span class="mw-cite-backlink"><b><a href="#cite_ref-1">^</a></b></span> <span class="reference-text">The abbreviation 'XSS' is commonly used to avoid confusion with <a href="/wiki/Cascading_style_sheets" class="mw-redirect" title="Cascading style sheets">cascading style sheets</a>.</span> </li> </ol></div></div> <div class="mw-heading mw-heading2"><h2 id="References">References</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Cross-site_scripting&action=edit&section=21" title="Edit section: References"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1239543626"><div class="reflist reflist-columns references-column-width" style="column-width: 30em;"> <ol class="references"> <li id="cite_note-SIS_1-2"><span class="mw-cite-backlink"><b><a href="#cite_ref-SIS_1_2-0">^</a></b></span> <span class="reference-text"><style data-mw-deduplicate="TemplateStyles:r1238218222">.mw-parser-output cite.citation{font-style:inherit;word-wrap:break-word}.mw-parser-output .citation q{quotes:"\"""\"""'""'"}.mw-parser-output .citation:target{background-color:rgba(0,127,255,0.133)}.mw-parser-output .id-lock-free.id-lock-free a{background:url("//upload.wikimedia.org/wikipedia/commons/6/65/Lock-green.svg")right 0.1em center/9px no-repeat}.mw-parser-output .id-lock-limited.id-lock-limited a,.mw-parser-output .id-lock-registration.id-lock-registration a{background:url("//upload.wikimedia.org/wikipedia/commons/d/d6/Lock-gray-alt-2.svg")right 0.1em center/9px no-repeat}.mw-parser-output .id-lock-subscription.id-lock-subscription a{background:url("//upload.wikimedia.org/wikipedia/commons/a/aa/Lock-red-alt-2.svg")right 0.1em center/9px no-repeat}.mw-parser-output .cs1-ws-icon a{background:url("//upload.wikimedia.org/wikipedia/commons/4/4c/Wikisource-logo.svg")right 0.1em center/12px no-repeat}body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-free a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-limited a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-registration a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-subscription a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .cs1-ws-icon a{background-size:contain;padding:0 1em 0 0}.mw-parser-output .cs1-code{color:inherit;background:inherit;border:none;padding:inherit}.mw-parser-output .cs1-hidden-error{display:none;color:var(--color-error,#d33)}.mw-parser-output .cs1-visible-error{color:var(--color-error,#d33)}.mw-parser-output .cs1-maint{display:none;color:#085;margin-left:0.3em}.mw-parser-output .cs1-kern-left{padding-left:0.2em}.mw-parser-output .cs1-kern-right{padding-right:0.2em}.mw-parser-output .citation .mw-selflink{font-weight:inherit}@media screen{.mw-parser-output .cs1-format{font-size:95%}html.skin-theme-clientpref-night .mw-parser-output .cs1-maint{color:#18911f}}@media screen and (prefers-color-scheme:dark){html.skin-theme-clientpref-os .mw-parser-output .cs1-maint{color:#18911f}}</style><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://techcrunch.com/wp-content/uploads/2009/08/b-whitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf">"Symantec Internet Security Threat Report: Trends for July–December 2007 (Executive Summary)"</a> <span class="cs1-format">(PDF)</span>. <a href="/wiki/Yahoo" title="Yahoo">Yahoo</a>. April 2008. pp. 1–3. <a rel="nofollow" class="external text" href="https://web.archive.org/web/20080625065121/https://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf">Archived</a> <span class="cs1-format">(PDF)</span> from the original on June 25, 2008<span class="reference-accessdate">. Retrieved <span class="nowrap">January 1,</span> 2024</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Symantec+Internet+Security+Threat+Report%3A+Trends+for+July%E2%80%93December+2007+%28Executive+Summary%29&rft.pages=1-3&rft.pub=Yahoo&rft.date=2008-04&rft_id=https%3A%2F%2Ftechcrunch.com%2Fwp-content%2Fuploads%2F2009%2F08%2Fb-whitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-3"><span class="mw-cite-backlink"><b><a href="#cite_ref-3">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html">"Cross Site Scripting Prevention - OWASP Cheat Sheet Series"</a>. <i><a href="/wiki/OWASP" title="OWASP">OWASP</a></i><span class="reference-accessdate">. Retrieved <span class="nowrap">March 19,</span> 2003</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=OWASP&rft.atitle=Cross+Site+Scripting+Prevention+-+OWASP+Cheat+Sheet+Series&rft_id=https%3A%2F%2Fcheatsheetseries.owasp.org%2Fcheatsheets%2FCross_Site_Scripting_Prevention_Cheat_Sheet.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-4"><span class="mw-cite-backlink"><b><a href="#cite_ref-4">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://www.w3.org/Security/wiki/Same_Origin_Policy">"Same Origin Policy - Web Security. W3.org"</a><span class="reference-accessdate">. Retrieved <span class="nowrap">November 4,</span> 2014</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Same+Origin+Policy+-+Web+Security.+W3.org.&rft_id=http%3A%2F%2Fwww.w3.org%2FSecurity%2Fwiki%2FSame_Origin_Policy&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-xssname-5"><span class="mw-cite-backlink"><b><a href="#cite_ref-xssname_5-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREF"dross"_on_MSDN2009" class="citation web cs1">"dross" on MSDN (December 15, 2009). <a rel="nofollow" class="external text" href="https://learn.microsoft.com/en-ca/archive/blogs/dross/happy-10th-birthday-cross-site-scripting">"Happy 10th birthday Cross-Site Scripting!"</a><span class="reference-accessdate">. Retrieved <span class="nowrap">February 9,</span> 2023</span>. <q>On the 16th of January, 2000, the following names were suggested and bounced around among a small group of Microsoft security engineers: [...] The next day there was consensus – Cross Site Scripting.</q></cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Happy+10th+birthday+Cross-Site+Scripting%21&rft.date=2009-12-15&rft.au=%22dross%22+on+MSDN&rft_id=https%3A%2F%2Flearn.microsoft.com%2Fen-ca%2Farchive%2Fblogs%2Fdross%2Fhappy-10th-birthday-cross-site-scripting&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-Grossman-6"><span class="mw-cite-backlink"><b><a href="#cite_ref-Grossman_6-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFGrossman2006" class="citation web cs1">Grossman, Jeremiah (July 30, 2006). <a rel="nofollow" class="external text" href="http://jeremiahgrossman.blogspot.com/2006/07/origins-of-cross-site-scripting-xss.html">"The origins of Cross-Site Scripting (XSS)"</a><span class="reference-accessdate">. Retrieved <span class="nowrap">September 15,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=The+origins+of+Cross-Site+Scripting+%28XSS%29&rft.date=2006-07-30&rft.aulast=Grossman&rft.aufirst=Jeremiah&rft_id=http%3A%2F%2Fjeremiahgrossman.blogspot.com%2F2006%2F07%2Forigins-of-cross-site-scripting-xss.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-7"><span class="mw-cite-backlink"><b><a href="#cite_ref-7">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFArthur2010" class="citation news cs1">Arthur, Charles (September 21, 2010). <a rel="nofollow" class="external text" href="https://www.theguardian.com/technology/blog/2010/sep/21/twitter-bug-malicious-exploit-xss">"Twitter users including Sarah Brown hit by malicious hacker attack"</a>. <i>The Guardian</i><span class="reference-accessdate">. Retrieved <span class="nowrap">September 21,</span> 2010</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=The+Guardian&rft.atitle=Twitter+users+including+Sarah+Brown+hit+by+malicious+hacker+attack&rft.date=2010-09-21&rft.aulast=Arthur&rft.aufirst=Charles&rft_id=https%3A%2F%2Fwww.theguardian.com%2Ftechnology%2Fblog%2F2010%2Fsep%2F21%2Ftwitter-bug-malicious-exploit-xss&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-8"><span class="mw-cite-backlink"><b><a href="#cite_ref-8">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFLeyden2008" class="citation web cs1">Leyden, John (May 23, 2008). <a rel="nofollow" class="external text" href="https://www.theregister.co.uk/2008/05/23/facebook_xss_flaw/">"Facebook poked by XSS flaw"</a>. <i>The Register</i><span class="reference-accessdate">. Retrieved <span class="nowrap">May 28,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=The+Register&rft.atitle=Facebook+poked+by+XSS+flaw&rft.date=2008-05-23&rft.aulast=Leyden&rft.aufirst=John&rft_id=https%3A%2F%2Fwww.theregister.co.uk%2F2008%2F05%2F23%2Ffacebook_xss_flaw%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-9"><span class="mw-cite-backlink"><b><a href="#cite_ref-9">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFChristeyMartin2007" class="citation web cs1">Christey, Steve; Martin, Robert A. (May 22, 2007). <a rel="nofollow" class="external text" href="//cwe.mitre.org/documents/vuln-trends/index.html">"Vulnerability Type Distributions in CVE (version 1.1)"</a>. MITRE Corporation<span class="reference-accessdate">. Retrieved <span class="nowrap">June 7,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Vulnerability+Type+Distributions+in+CVE+%28version+1.1%29&rft.pub=MITRE+Corporation&rft.date=2007-05-22&rft.aulast=Christey&rft.aufirst=Steve&rft.au=Martin%2C+Robert+A.&rft_id=%2F%2Fcwe.mitre.org%2Fdocuments%2Fvuln-trends%2Findex.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-10"><span class="mw-cite-backlink"><b><a href="#cite_ref-10">^</a></b></span> <span class="reference-text"> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFBerinato2007" class="citation news cs1">Berinato, Scott (January 1, 2007). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20080418072230/http://www.csoonline.com/article/221113">"Software Vulnerability Disclosure: The Chilling Effect"</a>. <i>CSO</i>. <a href="/wiki/CXO_Media" class="mw-redirect" title="CXO Media">CXO Media</a>. p. 7. Archived from <a rel="nofollow" class="external text" href="http://www.csoonline.com/article/221113">the original</a> on April 18, 2008<span class="reference-accessdate">. Retrieved <span class="nowrap">June 7,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=CSO&rft.atitle=Software+Vulnerability+Disclosure%3A+The+Chilling+Effect&rft.pages=7&rft.date=2007-01-01&rft.aulast=Berinato&rft.aufirst=Scott&rft_id=http%3A%2F%2Fwww.csoonline.com%2Farticle%2F221113&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-HopeWalther-11"><span class="mw-cite-backlink">^ <a href="#cite_ref-HopeWalther_11-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-HopeWalther_11-1"><sup><i><b>b</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFPacoWalther2008" class="citation book cs1">Paco, Hope; Walther, Ben (2008). <span class="id-lock-registration" title="Free registration required"><a rel="nofollow" class="external text" href="https://archive.org/details/websecuritytesti00hope/page/128"><i>Web Security Testing Cookbook</i></a></span>. Sebastopol, CA: O'Reilly Media, Inc. p. <a rel="nofollow" class="external text" href="https://archive.org/details/websecuritytesti00hope/page/128">128</a>. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/978-0-596-51483-9" title="Special:BookSources/978-0-596-51483-9"><bdi>978-0-596-51483-9</bdi></a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=Web+Security+Testing+Cookbook&rft.place=Sebastopol%2C+CA&rft.pages=128&rft.pub=O%27Reilly+Media%2C+Inc.&rft.date=2008&rft.isbn=978-0-596-51483-9&rft.aulast=Paco&rft.aufirst=Hope&rft.au=Walther%2C+Ben&rft_id=https%3A%2F%2Farchive.org%2Fdetails%2Fwebsecuritytesti00hope%2Fpage%2F128&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-12"><span class="mw-cite-backlink"><b><a href="#cite_ref-12">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFHydaraSultanZulzalilAdmodisastro2015" class="citation journal cs1">Hydara, Isatou; Sultan, Abu Bakar Md.; Zulzalil, Hazura; Admodisastro, Novia (February 1, 2015). <a rel="nofollow" class="external text" href="https://linkinghub.elsevier.com/retrieve/pii/S0950584914001700">"Current state of research on cross-site scripting (XSS) – A systematic literature review"</a>. <i>Information and Software Technology</i>. <b>58</b>: 170–186. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1016%2Fj.infsof.2014.07.010">10.1016/j.infsof.2014.07.010</a>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=Information+and+Software+Technology&rft.atitle=Current+state+of+research+on+cross-site+scripting+%28XSS%29+%E2%80%93+A+systematic+literature+review&rft.volume=58&rft.pages=170-186&rft.date=2015-02-01&rft_id=info%3Adoi%2F10.1016%2Fj.infsof.2014.07.010&rft.aulast=Hydara&rft.aufirst=Isatou&rft.au=Sultan%2C+Abu+Bakar+Md.&rft.au=Zulzalil%2C+Hazura&rft.au=Admodisastro%2C+Novia&rft_id=https%3A%2F%2Flinkinghub.elsevier.com%2Fretrieve%2Fpii%2FS0950584914001700&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-WASC-2005-13"><span class="mw-cite-backlink">^ <a href="#cite_ref-WASC-2005_13-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-WASC-2005_13-1"><sup><i><b>b</b></i></sup></a> <a href="#cite_ref-WASC-2005_13-2"><sup><i><b>c</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://projects.webappsec.org/Cross-Site-Scripting">"Cross-site Scripting"</a>. Web Application Security Consortium. 2005<span class="reference-accessdate">. Retrieved <span class="nowrap">May 28,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Cross-site+Scripting&rft.pub=Web+Application+Security+Consortium&rft.date=2005&rft_id=http%3A%2F%2Fprojects.webappsec.org%2FCross-Site-Scripting&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-GHFPR-14"><span class="mw-cite-backlink"><b><a href="#cite_ref-GHFPR_14-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFGrossmanHansenFogiePetkov2007" class="citation book cs1">Grossman, Jeremiah; Hansen, Robert; Fogie, Seth; Petkov, Petko D.; Rager, Anton (2007). <a rel="nofollow" class="external text" href="https://books.google.com/books?id=dPhqDe0WHZ8C"><i>XSS Attacks: Cross Site Scripting Exploits and Defense (Abstract)</i></a>. Syngress. pp. 70, 156. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/978-1-59749-154-9" title="Special:BookSources/978-1-59749-154-9"><bdi>978-1-59749-154-9</bdi></a><span class="reference-accessdate">. Retrieved <span class="nowrap">May 28,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=XSS+Attacks%3A+Cross+Site+Scripting+Exploits+and+Defense+%28Abstract%29&rft.pages=70%2C+156&rft.pub=Syngress&rft.date=2007&rft.isbn=978-1-59749-154-9&rft.aulast=Grossman&rft.aufirst=Jeremiah&rft.au=Hansen%2C+Robert&rft.au=Fogie%2C+Seth&rft.au=Petkov%2C+Petko+D.&rft.au=Rager%2C+Anton&rft_id=https%3A%2F%2Fbooks.google.com%2Fbooks%3Fid%3DdPhqDe0WHZ8C&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-15"><span class="mw-cite-backlink"><b><a href="#cite_ref-15">^</a></b></span> <span class="reference-text">Viruses and worms in <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFAlcorn2005" class="citation web cs1">Alcorn, Wade (September 27, 2005). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20080516055612/http://www.bindshell.net/papers/xssv/">"The Cross-site Scripting Virus"</a>. BindShell.net. Archived from <a rel="nofollow" class="external text" href="http://www.bindshell.net/papers/xssv">the original</a> on May 16, 2008<span class="reference-accessdate">. Retrieved <span class="nowrap">May 27,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=The+Cross-site+Scripting+Virus&rft.pub=BindShell.net&rft.date=2005-09-27&rft.aulast=Alcorn&rft.aufirst=Wade&rft_id=http%3A%2F%2Fwww.bindshell.net%2Fpapers%2Fxssv&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span> and <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFGrossman2020" class="citation web cs1">Grossman, Jeremiah (November 2020). <a rel="nofollow" class="external text" href="https://www.helpnetsecurity.com/2006/05/04/cross-site-scripting-worms-and-viruses-the-impending-threat-and-the-best-defense/">"Cross-Site Scripting Worms and Viruses: The Impending Threat and the Best Defense"</a>. WhiteHat Security. p. 20<span class="reference-accessdate">. Retrieved <span class="nowrap">June 6,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Cross-Site+Scripting+Worms+and+Viruses%3A+The+Impending+Threat+and+the+Best+Defense&rft.pages=20&rft.pub=WhiteHat+Security&rft.date=2020-11&rft.aulast=Grossman&rft.aufirst=Jeremiah&rft_id=https%3A%2F%2Fwww.helpnetsecurity.com%2F2006%2F05%2F04%2Fcross-site-scripting-worms-and-viruses-the-impending-threat-and-the-best-defense%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span><sup class="noprint Inline-Template"><span style="white-space: nowrap;">[<i><a href="/wiki/Wikipedia:Link_rot" title="Wikipedia:Link rot"><span title=" Dead link tagged August 2018">permanent dead link</span></a></i><span style="visibility:hidden; color:transparent; padding-left:2px">‍</span>]</span></sup></span> </li> <li id="cite_note-16"><span class="mw-cite-backlink"><b><a href="#cite_ref-16">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.owasp.org/index.php/DOM_Based_XSS">"DOM based XSS"</a>. OWASP.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=DOM+based+XSS&rft.pub=OWASP&rft_id=https%3A%2F%2Fwww.owasp.org%2Findex.php%2FDOM_Based_XSS&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-17"><span class="mw-cite-backlink"><b><a href="#cite_ref-17">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://bugs.jquery.com/ticket/9521">"JQuery bug #9521"</a>. 2011.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=JQuery+bug+%239521&rft.date=2011&rft_id=http%3A%2F%2Fbugs.jquery.com%2Fticket%2F9521&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-18"><span class="mw-cite-backlink"><b><a href="#cite_ref-18">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet">"DOM based XSS prevention cheat sheet"</a>. OWASP.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=DOM+based+XSS+prevention+cheat+sheet&rft.pub=OWASP&rft_id=https%3A%2F%2Fwww.owasp.org%2Findex.php%2FDOM_based_XSS_Prevention_Cheat_Sheet&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-19"><span class="mw-cite-backlink"><b><a href="#cite_ref-19">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://docs.angularjs.org/api/ng.$sce">"Strict Contextual Escaping"</a>. Angular.js.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Strict+Contextual+Escaping&rft.pub=Angular.js&rft_id=http%3A%2F%2Fdocs.angularjs.org%2Fapi%2Fng.%24sce&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-20"><span class="mw-cite-backlink"><b><a href="#cite_ref-20">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://www.majorgeeks.com/news/story/self_xss_facebook_scam_attempts_to_trick_users_into_hacking_themselves.html">"Self-XSS Facebook scam attempts to trick users into hacking themselves"</a>. <i>www.majorgeeks.com</i>. July 29, 2014<span class="reference-accessdate">. Retrieved <span class="nowrap">September 20,</span> 2016</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=www.majorgeeks.com&rft.atitle=Self-XSS+Facebook+scam+attempts+to+trick+users+into+hacking+themselves&rft.date=2014-07-29&rft_id=http%3A%2F%2Fwww.majorgeeks.com%2Fnews%2Fstory%2Fself_xss_facebook_scam_attempts_to_trick_users_into_hacking_themselves.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-OWASP-21"><span class="mw-cite-backlink">^ <a href="#cite_ref-OWASP_21-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-OWASP_21-1"><sup><i><b>b</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFWilliams2009" class="citation web cs1">Williams, Jeff (January 19, 2009). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20170318125710/https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet">"XSS (Cross Site Scripting) Prevention Cheat Sheet"</a>. OWASP. Archived from <a rel="nofollow" class="external text" href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">the original</a> on March 18, 2017<span class="reference-accessdate">. Retrieved <span class="nowrap">February 4,</span> 2010</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=XSS+%28Cross+Site+Scripting%29+Prevention+Cheat+Sheet&rft.pub=OWASP&rft.date=2009-01-19&rft.aulast=Williams&rft.aufirst=Jeff&rft_id=https%3A%2F%2Fwww.owasp.org%2Findex.php%2FXSS_%2528Cross_Site_Scripting%2529_Prevention_Cheat_Sheet&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-22"><span class="mw-cite-backlink"><b><a href="#cite_ref-22">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://golang.org/pkg/html/template/#hdr-Introduction">"template - The Go Programming Language"</a>. <i>golang.org</i><span class="reference-accessdate">. Retrieved <span class="nowrap">May 1,</span> 2019</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=golang.org&rft.atitle=template+-+The+Go+Programming+Language&rft_id=https%3A%2F%2Fgolang.org%2Fpkg%2Fhtml%2Ftemplate%2F%23hdr-Introduction&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-23"><span class="mw-cite-backlink"><b><a href="#cite_ref-23">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://developers.google.com/closure/templates/docs/security">"Google Developers"</a>. <i>Google Developers</i><span class="reference-accessdate">. Retrieved <span class="nowrap">May 1,</span> 2019</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Google+Developers&rft.atitle=Google+Developers&rft_id=https%3A%2F%2Fdevelopers.google.com%2Fclosure%2Ftemplates%2Fdocs%2Fsecurity&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-24"><span class="mw-cite-backlink"><b><a href="#cite_ref-24">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.npmjs.com/package/pug-plugin-trusted-types">"pug-plugin-trusted-types"</a>. <i>npm</i><span class="reference-accessdate">. Retrieved <span class="nowrap">May 1,</span> 2019</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=npm&rft.atitle=pug-plugin-trusted-types&rft_id=https%3A%2F%2Fwww.npmjs.com%2Fpackage%2Fpug-plugin-trusted-types&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-Sharma-25"><span class="mw-cite-backlink"><b><a href="#cite_ref-Sharma_25-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFSharma2004" class="citation web cs1">Sharma, Anand (February 3, 2004). <a rel="nofollow" class="external text" href="http://www.ibm.com/developerworks/ibm/library/wa-secxss/">"Prevent a cross-site scripting attack"</a>. IBM<span class="reference-accessdate">. Retrieved <span class="nowrap">May 29,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Prevent+a+cross-site+scripting+attack&rft.pub=IBM&rft.date=2004-02-03&rft.aulast=Sharma&rft.aufirst=Anand&rft_id=http%3A%2F%2Fwww.ibm.com%2Fdeveloperworks%2Fibm%2Flibrary%2Fwa-secxss%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-ModSecurity-26"><span class="mw-cite-backlink">^ <a href="#cite_ref-ModSecurity_26-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-ModSecurity_26-1"><sup><i><b>b</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20080323040609/http://www.modsecurity.org/projects/modsecurity/apache/feature_universal_pdf_xss.html">"ModSecurity: Features: PDF Universal XSS Protection"</a>. Breach Security. Archived from <a rel="nofollow" class="external text" href="http://www.modsecurity.org/projects/modsecurity/apache/feature_universal_pdf_xss.html">the original</a> on March 23, 2008<span class="reference-accessdate">. Retrieved <span class="nowrap">June 6,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=ModSecurity%3A+Features%3A+PDF+Universal+XSS+Protection&rft.pub=Breach+Security&rft_id=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fmodsecurity%2Fapache%2Ffeature_universal_pdf_xss.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-27"><span class="mw-cite-backlink"><b><a href="#cite_ref-27">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20080403234132/http://www.openajax.org/whitepapers/Ajax%20and%20Mashup%20Security.php">"Ajax and Mashup Security"</a>. OpenAjax Alliance. Archived from <a rel="nofollow" class="external text" href="http://www.openajax.org/whitepapers/Ajax%20and%20Mashup%20Security.php">the original</a> on April 3, 2008<span class="reference-accessdate">. Retrieved <span class="nowrap">June 9,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Ajax+and+Mashup+Security&rft.pub=OpenAjax+Alliance&rft_id=http%3A%2F%2Fwww.openajax.org%2Fwhitepapers%2FAjax%2520and%2520Mashup%2520Security.php&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-28"><span class="mw-cite-backlink"><b><a href="#cite_ref-28">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFO'Reilly2005" class="citation web cs1">O'Reilly, Tim (September 30, 2005). <a rel="nofollow" class="external text" href="http://oreilly.com/web2/archive/what-is-web-20.html">"What Is Web 2.0"</a>. O'Reilly Media. pp. 4–5<span class="reference-accessdate">. Retrieved <span class="nowrap">June 4,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=What+Is+Web+2.0&rft.pages=4-5&rft.pub=O%27Reilly+Media&rft.date=2005-09-30&rft.aulast=O%27Reilly&rft.aufirst=Tim&rft_id=http%3A%2F%2Foreilly.com%2Fweb2%2Farchive%2Fwhat-is-web-20.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-29"><span class="mw-cite-backlink"><b><a href="#cite_ref-29">^</a></b></span> <span class="reference-text">"A page should work, even if in a degraded form, without JavaScript." in <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFZammetti2007" class="citation book cs1">Zammetti, Frank (April 16, 2007). <a rel="nofollow" class="external text" href="https://www.amazon.com/gp/reader/1590598164/"><i>Practical JavaScript, DOM Scripting and Ajax Projects via Amazon Reader</i></a>. Apress. p. 36. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a> <a href="/wiki/Special:BookSources/978-1-59059-816-0" title="Special:BookSources/978-1-59059-816-0"><bdi>978-1-59059-816-0</bdi></a><span class="reference-accessdate">. Retrieved <span class="nowrap">June 4,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.btitle=Practical+JavaScript%2C+DOM+Scripting+and+Ajax+Projects+via+Amazon+Reader&rft.pages=36&rft.pub=Apress&rft.date=2007-04-16&rft.isbn=978-1-59059-816-0&rft.aulast=Zammetti&rft.aufirst=Frank&rft_id=https%3A%2F%2Fwww.amazon.com%2Fgp%2Freader%2F1590598164%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-30"><span class="mw-cite-backlink"><b><a href="#cite_ref-30">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://support.microsoft.com/kb/174360/en-us">"How to use security zones in Internet Explorer"</a>. Microsoft. December 18, 2007<span class="reference-accessdate">. Retrieved <span class="nowrap">June 4,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=How+to+use+security+zones+in+Internet+Explorer&rft.pub=Microsoft&rft.date=2007-12-18&rft_id=http%3A%2F%2Fsupport.microsoft.com%2Fkb%2F174360%2Fen-us&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-31"><span class="mw-cite-backlink"><b><a href="#cite_ref-31">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFLie2006" class="citation web cs1">Lie, Håkon Wium (February 7, 2006). <a rel="nofollow" class="external text" href="https://web.archive.org/web/20080517034438/http://labs.opera.com/news/2006/02/07-2/">"Opera 9 Technology Preview 2"</a>. Opera Software. Archived from <a rel="nofollow" class="external text" href="http://labs.opera.com/news/2006/02/07-2/">the original</a> on May 17, 2008<span class="reference-accessdate">. Retrieved <span class="nowrap">June 4,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Opera+9+Technology+Preview+2&rft.pub=Opera+Software&rft.date=2006-02-07&rft.aulast=Lie&rft.aufirst=H%C3%A5kon+Wium&rft_id=http%3A%2F%2Flabs.opera.com%2Fnews%2F2006%2F02%2F07-2%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-32"><span class="mw-cite-backlink"><b><a href="#cite_ref-32">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://addons.mozilla.org/en-US/firefox/addon/noscript/">"NoScript"</a>. Mozilla. May 30, 2008<span class="reference-accessdate">. Retrieved <span class="nowrap">June 4,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=NoScript&rft.pub=Mozilla&rft.date=2008-05-30&rft_id=https%3A%2F%2Faddons.mozilla.org%2Fen-US%2Ffirefox%2Faddon%2Fnoscript%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span> and <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFMogull2008" class="citation news cs1">Mogull, Rich (March 18, 2008). <a rel="nofollow" class="external text" href="http://db.tidbits.com/article/9511">"Should Mac Users Run Antivirus Software?"</a>. <i>TidBITS</i>. TidBITS Publishing<span class="reference-accessdate">. Retrieved <span class="nowrap">June 4,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=TidBITS&rft.atitle=Should+Mac+Users+Run+Antivirus+Software%3F&rft.date=2008-03-18&rft.aulast=Mogull&rft.aufirst=Rich&rft_id=http%3A%2F%2Fdb.tidbits.com%2Farticle%2F9511&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-33"><span class="mw-cite-backlink"><b><a href="#cite_ref-33">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20080618005734/http://www1.elsevier.com/homepage/saa/trac/progmeth.htm">"<span class="cs1-kern-left"></span>"Using client-side events" in DataWindow Programmer's Guide"</a>. Sybase. March 2003. Archived from <a rel="nofollow" class="external text" href="http://www.elsevier.com/homepage/saa/trac/progmeth.htm">the original</a> on June 18, 2008<span class="reference-accessdate">. Retrieved <span class="nowrap">June 4,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=%22Using+client-side+events%22+in+DataWindow+Programmer%27s+Guide&rft.pub=Sybase&rft.date=2003-03&rft_id=http%3A%2F%2Fwww.elsevier.com%2Fhomepage%2Fsaa%2Ftrac%2Fprogmeth.htm&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-34"><span class="mw-cite-backlink"><b><a href="#cite_ref-34">^</a></b></span> <span class="reference-text">73% of sites relied on JavaScript in late 2006, in <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation news cs1"><a rel="nofollow" class="external text" href="http://news.bbc.co.uk/2/hi/technology/6210068.stm">"<span class="cs1-kern-left"></span>'Most websites' failing disabled"</a>. <i>BBC News</i>. December 6, 2006<span class="reference-accessdate">. Retrieved <span class="nowrap">June 4,</span> 2008</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=BBC+News&rft.atitle=%27Most+websites%27+failing+disabled&rft.date=2006-12-06&rft_id=http%3A%2F%2Fnews.bbc.co.uk%2F2%2Fhi%2Ftechnology%2F6210068.stm&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-35"><span class="mw-cite-backlink"><b><a href="#cite_ref-35">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://noscript.net/features">"NoScript Features"</a><span class="reference-accessdate">. Retrieved <span class="nowrap">March 7,</span> 2009</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=NoScript+Features&rft_id=http%3A%2F%2Fnoscript.net%2Ffeatures&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-36"><span class="mw-cite-backlink"><b><a href="#cite_ref-36">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.w3.org/TR/CSP3/Overview.html">"Content Security Policy Level 3"</a>. <i>www.w3.org</i><span class="reference-accessdate">. Retrieved <span class="nowrap">May 1,</span> 2019</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=www.w3.org&rft.atitle=Content+Security+Policy+Level+3&rft_id=https%3A%2F%2Fwww.w3.org%2FTR%2FCSP3%2FOverview.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-37"><span class="mw-cite-backlink"><b><a href="#cite_ref-37">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://caniuse.com/#feat=contentsecuritypolicy2">"Can I use... Support tables for HTML5, CSS3, etc"</a>. <i>caniuse.com</i><span class="reference-accessdate">. Retrieved <span class="nowrap">May 1,</span> 2019</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=caniuse.com&rft.atitle=Can+I+use...+Support+tables+for+HTML5%2C+CSS3%2C+etc&rft_id=https%3A%2F%2Fcaniuse.com%2F%23feat%3Dcontentsecuritypolicy2&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-38"><span class="mw-cite-backlink"><b><a href="#cite_ref-38">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://csp.withgoogle.com/docs/strict-csp.html">"Strict CSP - Content Security Policy"</a>. <i>csp.withgoogle.com</i><span class="reference-accessdate">. Retrieved <span class="nowrap">May 1,</span> 2019</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=csp.withgoogle.com&rft.atitle=Strict+CSP+-+Content+Security+Policy&rft_id=https%3A%2F%2Fcsp.withgoogle.com%2Fdocs%2Fstrict-csp.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-39"><span class="mw-cite-backlink"><b><a href="#cite_ref-39">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.eweek.com/security/how-google-is-using-content-security-policy-to-mitigate-web-flaws">"How Google Is Using Content Security Policy to Mitigate Web Flaws"</a>. <i>eWEEK</i>. April 22, 2019<span class="reference-accessdate">. Retrieved <span class="nowrap">May 1,</span> 2019</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=eWEEK&rft.atitle=How+Google+Is+Using+Content+Security+Policy+to+Mitigate+Web+Flaws&rft.date=2019-04-22&rft_id=https%3A%2F%2Fwww.eweek.com%2Fsecurity%2Fhow-google-is-using-content-security-policy-to-mitigate-web-flaws&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-OR_1-40"><span class="mw-cite-backlink"><b><a href="#cite_ref-OR_1_40-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFAkhawe2015" class="citation web cs1">Akhawe, Devdatta (September 21, 2015). <a rel="nofollow" class="external text" href="https://dropbox.tech/security/on-csp-reporting-and-filtering">"[CSP] On Reporting and Filtering"</a>. <a href="/wiki/Dropbox" title="Dropbox">Dropbox</a><span class="reference-accessdate">. Retrieved <span class="nowrap">January 1,</span> 2024</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=%5BCSP%5D+On+Reporting+and+Filtering&rft.pub=Dropbox&rft.date=2015-09-21&rft.aulast=Akhawe&rft.aufirst=Devdatta&rft_id=https%3A%2F%2Fdropbox.tech%2Fsecurity%2Fon-csp-reporting-and-filtering&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-41"><span class="mw-cite-backlink"><b><a href="#cite_ref-41">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://wicg.github.io/trusted-types/dist/spec/">"Trusted Types Spec WIP"</a>. <i>wicg.github.io</i><span class="reference-accessdate">. Retrieved <span class="nowrap">May 1,</span> 2019</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=wicg.github.io&rft.atitle=Trusted+Types+Spec+WIP&rft_id=https%3A%2F%2Fwicg.github.io%2Ftrusted-types%2Fdist%2Fspec%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-42"><span class="mw-cite-backlink"><b><a href="#cite_ref-42">^</a></b></span> <span class="reference-text">L. K. Shar and H. B. K. Tan, "Automated removal of cross site scripting vulnerabilities in web applications," <i>Information and Software Technology,</i> vol. 54, <i>(5),</i> pp. 467-478, 2012.</span> </li> <li id="cite_note-43"><span class="mw-cite-backlink"><b><a href="#cite_ref-43">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFMarkMike2016" class="citation journal cs1">Mark, Goodwin; Mike, West (April 6, 2016). <a rel="nofollow" class="external text" href="https://tools.ietf.org/html/draft-west-first-party-cookies-07">"Same-site Cookies"</a>. <i>tools.ietf.org</i><span class="reference-accessdate">. Retrieved <span class="nowrap">May 4,</span> 2018</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.jtitle=tools.ietf.org&rft.atitle=Same-site+Cookies&rft.date=2016-04-06&rft.aulast=Mark&rft.aufirst=Goodwin&rft.au=Mike%2C+West&rft_id=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-west-first-party-cookies-07&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> <li id="cite_note-44"><span class="mw-cite-backlink"><b><a href="#cite_ref-44">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://caniuse.com/#feat=same-site-cookie-attribute">"Can I use... Support tables for HTML5, CSS3, etc"</a>. <i>caniuse.com</i><span class="reference-accessdate">. Retrieved <span class="nowrap">May 4,</span> 2018</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=caniuse.com&rft.atitle=Can+I+use...+Support+tables+for+HTML5%2C+CSS3%2C+etc&rft_id=https%3A%2F%2Fcaniuse.com%2F%23feat%3Dsame-site-cookie-attribute&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></span> </li> </ol></div> <div class="mw-heading mw-heading2"><h2 id="Further_reading">Further reading</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Cross-site_scripting&action=edit&section=22" title="Edit section: Further reading"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFMacKenzie" class="citation web cs1">MacKenzie, Thomas. <a rel="nofollow" class="external text" href="http://www.scriptalert1.com">"ScriptAlert1.com – Concise Cross-Site Scripting Explanation in Multiple Languages"</a><span class="reference-accessdate">. Retrieved <span class="nowrap">October 24,</span> 2015</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=ScriptAlert1.com+%E2%80%93+Concise+Cross-Site+Scripting+Explanation+in+Multiple+Languages&rft.aulast=MacKenzie&rft.aufirst=Thomas&rft_id=http%3A%2F%2Fwww.scriptalert1.com&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://lockmedown.com/preventing-xss-in-asp-net-made-easy/">"Preventing XSS in ASP.NET Made Easy"</a>. <i>Lock Me Down | Security for the Everyday Developer</i>. February 6, 2015<span class="reference-accessdate">. Retrieved <span class="nowrap">October 24,</span> 2015</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Lock+Me+Down+%26%23124%3B+Security+for+the+Everyday+Developer&rft.atitle=Preventing+XSS+in+ASP.NET+Made+Easy&rft.date=2015-02-06&rft_id=http%3A%2F%2Flockmedown.com%2Fpreventing-xss-in-asp-net-made-easy%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="http://projects.webappsec.org/Cross-Site-Scripting">"Cross Site Scripting"</a>. <i>The Web Application Security Consortium</i>. October 13, 2005<span class="reference-accessdate">. Retrieved <span class="nowrap">October 24,</span> 2015</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=The+Web+Application+Security+Consortium&rft.atitle=Cross+Site+Scripting&rft.date=2005-10-13&rft_id=http%3A%2F%2Fprojects.webappsec.org%2FCross-Site-Scripting&rfr_id=info%3Asid%2Fen.wikipedia.org%3ACross-site+scripting" class="Z3988"></span></li></ul> <div class="mw-heading mw-heading2"><h2 id="External_links">External links</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Cross-site_scripting&action=edit&section=23" title="Edit section: External links"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><a href="/wiki/OWASP" title="OWASP">OWASP</a>: <a rel="nofollow" class="external text" href="https://owasp.org/www-community/attacks/xss/">XSS</a>, <a rel="nofollow" class="external text" href="http://www.owasp.org/index.php/Testing_for_Cross_site_scripting">Testing for XSS</a>, <a rel="nofollow" class="external text" href="http://www.owasp.org/index.php/Reviewing_Code_for_Cross-site_scripting">Reviewing Code for XSS</a></li> <li><a rel="nofollow" class="external text" href="http://www.xssed.com/">XSSed: Database of Websites Vulnerable to Cross-Site Scripting Attacks</a></li></ul> <div class="navbox-styles"><style data-mw-deduplicate="TemplateStyles:r1129693374">.mw-parser-output .hlist dl,.mw-parser-output .hlist ol,.mw-parser-output .hlist ul{margin:0;padding:0}.mw-parser-output .hlist dd,.mw-parser-output .hlist dt,.mw-parser-output .hlist li{margin:0;display:inline}.mw-parser-output .hlist.inline,.mw-parser-output .hlist.inline dl,.mw-parser-output .hlist.inline ol,.mw-parser-output .hlist.inline ul,.mw-parser-output .hlist dl dl,.mw-parser-output .hlist dl ol,.mw-parser-output .hlist dl ul,.mw-parser-output .hlist ol dl,.mw-parser-output .hlist ol ol,.mw-parser-output .hlist ol ul,.mw-parser-output .hlist ul dl,.mw-parser-output .hlist ul ol,.mw-parser-output .hlist ul ul{display:inline}.mw-parser-output .hlist .mw-empty-li{display:none}.mw-parser-output .hlist dt::after{content:": "}.mw-parser-output .hlist dd::after,.mw-parser-output .hlist li::after{content:" · ";font-weight:bold}.mw-parser-output .hlist dd:last-child::after,.mw-parser-output .hlist dt:last-child::after,.mw-parser-output .hlist li:last-child::after{content:none}.mw-parser-output .hlist dd dd:first-child::before,.mw-parser-output .hlist dd dt:first-child::before,.mw-parser-output .hlist dd li:first-child::before,.mw-parser-output .hlist dt dd:first-child::before,.mw-parser-output .hlist dt dt:first-child::before,.mw-parser-output .hlist dt li:first-child::before,.mw-parser-output .hlist li dd:first-child::before,.mw-parser-output .hlist li dt:first-child::before,.mw-parser-output .hlist li li:first-child::before{content:" (";font-weight:normal}.mw-parser-output .hlist dd dd:last-child::after,.mw-parser-output .hlist dd dt:last-child::after,.mw-parser-output .hlist dd li:last-child::after,.mw-parser-output .hlist dt dd:last-child::after,.mw-parser-output .hlist dt dt:last-child::after,.mw-parser-output .hlist dt li:last-child::after,.mw-parser-output .hlist li dd:last-child::after,.mw-parser-output .hlist li dt:last-child::after,.mw-parser-output .hlist li li:last-child::after{content:")";font-weight:normal}.mw-parser-output .hlist ol{counter-reset:listitem}.mw-parser-output .hlist ol>li{counter-increment:listitem}.mw-parser-output .hlist ol>li::before{content:" "counter(listitem)"\a0 "}.mw-parser-output .hlist dd ol>li:first-child::before,.mw-parser-output .hlist dt ol>li:first-child::before,.mw-parser-output .hlist li ol>li:first-child::before{content:" ("counter(listitem)"\a0 "}</style><style data-mw-deduplicate="TemplateStyles:r1236075235">.mw-parser-output .navbox{box-sizing:border-box;border:1px solid #a2a9b1;width:100%;clear:both;font-size:88%;text-align:center;padding:1px;margin:1em auto 0}.mw-parser-output .navbox .navbox{margin-top:0}.mw-parser-output .navbox+.navbox,.mw-parser-output .navbox+.navbox-styles+.navbox{margin-top:-1px}.mw-parser-output .navbox-inner,.mw-parser-output .navbox-subgroup{width:100%}.mw-parser-output .navbox-group,.mw-parser-output .navbox-title,.mw-parser-output .navbox-abovebelow{padding:0.25em 1em;line-height:1.5em;text-align:center}.mw-parser-output .navbox-group{white-space:nowrap;text-align:right}.mw-parser-output .navbox,.mw-parser-output .navbox-subgroup{background-color:#fdfdfd}.mw-parser-output .navbox-list{line-height:1.5em;border-color:#fdfdfd}.mw-parser-output .navbox-list-with-group{text-align:left;border-left-width:2px;border-left-style:solid}.mw-parser-output tr+tr>.navbox-abovebelow,.mw-parser-output tr+tr>.navbox-group,.mw-parser-output tr+tr>.navbox-image,.mw-parser-output tr+tr>.navbox-list{border-top:2px solid #fdfdfd}.mw-parser-output .navbox-title{background-color:#ccf}.mw-parser-output .navbox-abovebelow,.mw-parser-output .navbox-group,.mw-parser-output .navbox-subgroup .navbox-title{background-color:#ddf}.mw-parser-output .navbox-subgroup .navbox-group,.mw-parser-output .navbox-subgroup .navbox-abovebelow{background-color:#e6e6ff}.mw-parser-output .navbox-even{background-color:#f7f7f7}.mw-parser-output .navbox-odd{background-color:transparent}.mw-parser-output .navbox .hlist td dl,.mw-parser-output .navbox .hlist td ol,.mw-parser-output .navbox .hlist td ul,.mw-parser-output .navbox td.hlist dl,.mw-parser-output .navbox td.hlist ol,.mw-parser-output .navbox td.hlist ul{padding:0.125em 0}.mw-parser-output .navbox .navbar{display:block;font-size:100%}.mw-parser-output .navbox-title .navbar{float:left;text-align:left;margin-right:0.5em}body.skin--responsive .mw-parser-output .navbox-image img{max-width:none!important}@media print{body.ns-0 .mw-parser-output .navbox{display:none!important}}</style></div><div role="navigation" class="navbox" aria-labelledby="Web_interfaces" style="padding:3px"><table class="nowraplinks mw-collapsible autocollapse navbox-inner" style="border-spacing:0;background:transparent;color:inherit"><tbody><tr><th scope="col" class="navbox-title" colspan="2"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1129693374"><style data-mw-deduplicate="TemplateStyles:r1239400231">.mw-parser-output .navbar{display:inline;font-size:88%;font-weight:normal}.mw-parser-output .navbar-collapse{float:left;text-align:left}.mw-parser-output .navbar-boxtext{word-spacing:0}.mw-parser-output .navbar ul{display:inline-block;white-space:nowrap;line-height:inherit}.mw-parser-output .navbar-brackets::before{margin-right:-0.125em;content:"[ "}.mw-parser-output .navbar-brackets::after{margin-left:-0.125em;content:" ]"}.mw-parser-output .navbar li{word-spacing:-0.125em}.mw-parser-output .navbar a>span,.mw-parser-output .navbar a>abbr{text-decoration:inherit}.mw-parser-output .navbar-mini abbr{font-variant:small-caps;border-bottom:none;text-decoration:none;cursor:inherit}.mw-parser-output .navbar-ct-full{font-size:114%;margin:0 7em}.mw-parser-output .navbar-ct-mini{font-size:114%;margin:0 4em}html.skin-theme-clientpref-night .mw-parser-output .navbar li a abbr{color:var(--color-base)!important}@media(prefers-color-scheme:dark){html.skin-theme-clientpref-os .mw-parser-output .navbar li a abbr{color:var(--color-base)!important}}@media print{.mw-parser-output .navbar{display:none!important}}</style><div class="navbar plainlinks hlist navbar-mini"><ul><li class="nv-view"><a href="/wiki/Template:Web_interfaces" title="Template:Web interfaces"><abbr title="View this template">v</abbr></a></li><li class="nv-talk"><a href="/wiki/Template_talk:Web_interfaces" title="Template talk:Web interfaces"><abbr title="Discuss this template">t</abbr></a></li><li class="nv-edit"><a href="/wiki/Special:EditPage/Template:Web_interfaces" title="Special:EditPage/Template:Web interfaces"><abbr title="Edit this template">e</abbr></a></li></ul></div><div id="Web_interfaces" style="font-size:114%;margin:0 4em"><a href="/wiki/Web_API" title="Web API">Web interfaces</a></div></th></tr><tr><td colspan="2" class="navbox-list navbox-odd hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"></div><table class="nowraplinks navbox-subgroup" style="border-spacing:0"><tbody><tr><td class="navbox-abovebelow" colspan="2" style="font-weight:bold"><div id="Server-side"><a href="/wiki/Server-side" class="mw-redirect" title="Server-side">Server-side</a></div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%"><a href="/wiki/Communication_protocol" title="Communication protocol">Protocols</a></th><td class="navbox-list-with-group navbox-list navbox-odd" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/HTTP" title="HTTP">HTTP</a> <ul><li><a href="/wiki/HTTP/2" title="HTTP/2">v2</a></li> <li><a href="/wiki/HTTP/3" title="HTTP/3">v3</a></li> <li><a href="/wiki/HTTPS" title="HTTPS">Encryption</a></li> <li><a href="/wiki/WebDAV" title="WebDAV">WebDAV</a></li></ul></li> <li><a href="/wiki/Common_Gateway_Interface" title="Common Gateway Interface">CGI</a></li> <li><a href="/wiki/Simple_Common_Gateway_Interface" title="Simple Common Gateway Interface">SCGI</a></li> <li><a href="/wiki/FastCGI" title="FastCGI">FCGI</a></li> <li><a href="/wiki/Apache_JServ_Protocol" title="Apache JServ Protocol">AJP</a></li> <li><a href="/wiki/Web_Services_for_Remote_Portlets" title="Web Services for Remote Portlets">WSRP</a></li> <li><a href="/wiki/WebSocket" title="WebSocket">WebSocket</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%"><a href="/wiki/Server_application_programming_interface" title="Server application programming interface">Server APIs</a></th><td class="navbox-list-with-group navbox-list navbox-even" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Netscape_Server_Application_Programming_Interface" title="Netscape Server Application Programming Interface">C NSAPI</a></li> <li><a href="/wiki/Apache_HTTP_Server#Feature_overview" title="Apache HTTP Server">C ASAPI</a></li> <li><a href="/wiki/Internet_Server_Application_Programming_Interface" title="Internet Server Application Programming Interface">C ISAPI</a></li> <li><a href="/wiki/Active_Server_Pages" title="Active Server Pages">COM ASP</a></li> <li><a href="/wiki/Jakarta_Servlet" title="Jakarta Servlet">Jakarta Servlet</a> <ul><li><a href="/wiki/Web_container" title="Web container">container</a></li></ul></li> <li><a href="/wiki/Open_Web_Interface_for_.NET" title="Open Web Interface for .NET">CLI OWIN</a></li> <li><a href="/wiki/HTTP_handler" title="HTTP handler">ASP.NET Handler</a></li> <li><a href="/wiki/Web_Server_Gateway_Interface" title="Web Server Gateway Interface">Python WSGI</a></li> <li><a href="/wiki/Asynchronous_Server_Gateway_Interface" title="Asynchronous Server Gateway Interface">Python ASGI</a></li> <li><a href="/wiki/Rack_(web_server_interface)" title="Rack (web server interface)">Ruby Rack</a></li> <li><a href="/wiki/JSGI" title="JSGI">JavaScript JSGI</a></li> <li><a href="/wiki/Plack_(software)#PSGI" title="Plack (software)">Perl PSGI</a></li> <li><a href="/wiki/Java_Portlet_Specification" title="Java Portlet Specification">Portlet</a> <ul><li><a href="/wiki/Java_Portlet_Specification" title="Java Portlet Specification">container</a></li></ul></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%"><a href="/wiki/List_of_Apache_modules" title="List of Apache modules">Apache modules</a></th><td class="navbox-list-with-group navbox-list navbox-odd" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Server_Side_Includes" title="Server Side Includes">mod_include</a></li> <li><a href="/wiki/Mod_jk" class="mw-redirect" title="Mod jk">mod_jk</a></li> <li><a href="/wiki/Mod_lisp" title="Mod lisp">mod_lisp</a></li> <li><a href="/wiki/Mod_mono" title="Mod mono">mod_mono</a></li> <li><a href="/wiki/Mod_parrot" class="mw-redirect" title="Mod parrot">mod_parrot</a></li> <li><a href="/wiki/Mod_perl" title="Mod perl">mod_perl</a></li> <li><a href="/wiki/PHP" title="PHP">mod_php</a></li> <li><a href="/wiki/Mod_proxy" title="Mod proxy">mod_proxy</a></li> <li><a href="/wiki/Mod_python" title="Mod python">mod_python</a></li> <li><a href="/wiki/Mod_wsgi" title="Mod wsgi">mod_wsgi</a></li> <li><a href="/wiki/Mod_ruby" title="Mod ruby">mod_ruby</a></li> <li><a href="/wiki/Phusion_Passenger" title="Phusion Passenger">Phusion Passenger</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">Topics</th><td class="navbox-list-with-group navbox-list navbox-even" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Web_service" title="Web service">Web service</a> vs. <a href="/wiki/Web_resource" title="Web resource">Web resource</a></li> <li><a href="/wiki/Web-oriented_architecture" title="Web-oriented architecture">WOA</a> vs. <a href="/wiki/Resource-oriented_architecture" title="Resource-oriented architecture">ROA</a></li> <li><a href="/wiki/Open_API" title="Open API">Open API</a></li> <li><a href="/wiki/Webhook" title="Webhook">Webhook</a></li> <li><a href="/wiki/Application_server" title="Application server">Application server</a> <ul><li><a href="/wiki/List_of_application_servers" title="List of application servers">comparison</a></li></ul></li> <li><a href="/wiki/Server-side_scripting" title="Server-side scripting">Scripting</a></li></ul> </div></td></tr></tbody></table><div></div></td></tr><tr><td colspan="2" class="navbox-list navbox-odd hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"></div><table class="nowraplinks navbox-subgroup" style="border-spacing:0"><tbody><tr><td class="navbox-abovebelow" colspan="2" style="font-weight:bold"><div id="Client-side"><a href="/wiki/Client-side" class="mw-redirect" title="Client-side">Client-side</a></div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%"><a href="/wiki/Plug-in_(computing)" title="Plug-in (computing)">Browser APIs</a></th><td class="navbox-list-with-group navbox-list navbox-odd" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/NPAPI" title="NPAPI">C NPAPI</a> <ul><li><a href="/wiki/NPAPI#LiveConnect" title="NPAPI">LiveConnect</a></li> <li><a href="/wiki/NPAPI#XPConnect" title="NPAPI">XPConnect</a></li></ul></li> <li><a href="/wiki/NPAPI#NPRuntime" title="NPAPI">C NPRuntime</a></li> <li><a href="/wiki/Google_Native_Client#Pepper" title="Google Native Client">C PPAPI</a> <ul><li><a href="/wiki/Google_Native_Client" title="Google Native Client">NaCl</a></li></ul></li> <li><a href="/wiki/ActiveX" title="ActiveX">ActiveX</a></li> <li><a href="/wiki/Browser_Helper_Object" title="Browser Helper Object">BHO</a></li> <li><a href="/wiki/XAML_Browser_Applications" title="XAML Browser Applications">XBAP</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%"><a href="/wiki/Web_API#Client_side" title="Web API">Web APIs</a></th><td class="navbox-list-with-group navbox-list navbox-odd" style="width:100%;padding:0"><div style="padding:0 0.25em"></div><table class="nowraplinks navbox-subgroup" style="border-spacing:0"><tbody><tr><th scope="row" class="navbox-group" style="width:1%"><a href="/wiki/WHATWG" title="WHATWG">WHATWG</a></th><td class="navbox-list-with-group navbox-list navbox-even" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/HTML_audio" title="HTML audio">Audio</a></li> <li><a href="/wiki/Canvas_element" title="Canvas element">Canvas</a></li> <li><a href="/wiki/Document_Object_Model" title="Document Object Model">DOM</a></li> <li><a href="/wiki/Server-sent_events" title="Server-sent events">SSE</a></li> <li><a href="/wiki/HTML_video" title="HTML video">Video</a></li> <li><a href="/wiki/WebSocket" title="WebSocket">WebSockets</a></li> <li><a href="/wiki/Web_Messaging" title="Web Messaging">Web messaging</a></li> <li><a href="/wiki/Web_storage" title="Web storage">Web storage</a></li> <li><a href="/wiki/Web_worker" title="Web worker">Web worker</a></li> <li><a href="/wiki/XMLHttpRequest" title="XMLHttpRequest">XMLHttpRequest</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%"><a href="/wiki/World_Wide_Web_Consortium" title="World Wide Web Consortium">W3C</a></th><td class="navbox-list-with-group navbox-list navbox-odd" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/DOM_event" title="DOM event">DOM events</a></li> <li><a href="/wiki/Encrypted_Media_Extensions" title="Encrypted Media Extensions">EME</a></li> <li><a href="/wiki/HTML5_File_API" title="HTML5 File API">File</a></li> <li><a href="/wiki/W3C_Geolocation_API" title="W3C Geolocation API">Geolocation</a></li> <li><a href="/wiki/Indexed_Database_API" title="Indexed Database API">IndexedDB</a></li> <li><a href="/wiki/Media_Source_Extensions" title="Media Source Extensions">MSE</a></li> <li><a href="/wiki/SVG" title="SVG">SVG</a></li> <li><a href="/wiki/WebAssembly" title="WebAssembly">WebAssembly</a></li> <li><a href="/wiki/WebAuthn" title="WebAuthn">WebAuthn</a></li> <li><a href="/wiki/WebGPU" title="WebGPU">WebGPU</a></li> <li><a href="/wiki/WebRTC" title="WebRTC">WebRTC</a></li> <li><a href="/wiki/WebXR" title="WebXR">WebXR</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%"><a href="/wiki/Khronos_Group" title="Khronos Group">Khronos</a></th><td class="navbox-list-with-group navbox-list navbox-even" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/WebCL" title="WebCL">WebCL</a></li> <li><a href="/wiki/WebGL" title="WebGL">WebGL</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">Others</th><td class="navbox-list-with-group navbox-list navbox-odd" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Gears_(software)" title="Gears (software)">Gears</a></li> <li><a href="/wiki/Web_SQL_Database" title="Web SQL Database">Web SQL Database</a> (formerly W3C)</li> <li><a href="/wiki/WebUSB" title="WebUSB">WebUSB</a></li></ul> </div></td></tr></tbody></table><div></div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">Topics</th><td class="navbox-list-with-group navbox-list navbox-even" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Ajax_(programming)" title="Ajax (programming)">Ajax</a> and <a href="/wiki/Remote_scripting" title="Remote scripting">Remote scripting</a> vs. <a href="/wiki/Dynamic_HTML" title="Dynamic HTML">DHTML</a></li> <li><a href="/wiki/Browser_extension" title="Browser extension">Browser extension</a></li> <li><a class="mw-selflink selflink">Cross-site scripting</a> and <a href="/wiki/Cross-origin_resource_sharing" title="Cross-origin resource sharing">CORS</a></li> <li><a href="/wiki/Hydration_(web_development)" title="Hydration (web development)">Hydration</a></li> <li><a href="/wiki/Mashup_(web_application_hybrid)" title="Mashup (web application hybrid)">Mashup</a></li> <li><a href="/wiki/Client-side_persistent_data" title="Client-side persistent data">Persistent data</a></li> <li><a href="/wiki/Web_IDL" title="Web IDL">Web IDL</a></li> <li><a href="/wiki/Dynamic_web_page#Client-side_scripting" title="Dynamic web page">Scripting</a></li></ul> </div></td></tr></tbody></table><div></div></td></tr><tr><td colspan="2" class="navbox-list navbox-odd hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"></div><table class="nowraplinks navbox-subgroup" style="border-spacing:0"><tbody><tr><td class="navbox-abovebelow" colspan="2"><div id="Related_topics">Related topics</div></td></tr><tr><td colspan="2" class="navbox-list navbox-odd" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Frontend_and_backend" title="Frontend and backend">Frontend and backend</a></li> <li><a href="/wiki/Microservices" title="Microservices">Microservices</a> <ul><li><a href="/wiki/REST" title="REST">REST</a></li> <li><a href="/wiki/GraphQL" title="GraphQL">GraphQL</a></li></ul></li> <li><a href="/wiki/Push_technology" title="Push technology">Push technology</a></li> <li><a href="/wiki/Solution_stack" title="Solution stack">Solution stack</a></li> <li><a href="/wiki/Web_page" title="Web page">Web page</a> <ul><li><a href="/wiki/Static_web_page" title="Static web page">Static</a></li> <li><a href="/wiki/Dynamic_web_page" title="Dynamic web page">Dynamic</a></li></ul></li> <li><a href="/wiki/Web_standards" title="Web standards">Web standards</a></li> <li><a href="/wiki/Web_API_security" title="Web API security">Web API security</a></li> <li><a href="/wiki/Web_application" title="Web application">Web application</a> <ul><li><a href="/wiki/Rich_Internet_Application" title="Rich Internet Application">Rich</a></li> <li><a href="/wiki/Single-page_application" title="Single-page application">Single-page</a></li> <li><a href="/wiki/Progressive_web_app" title="Progressive web app">Progressive</a></li></ul></li> <li><a href="/wiki/Web_framework" title="Web framework">Web framework</a></li></ul> </div></td></tr></tbody></table><div></div></td></tr></tbody></table></div> <div class="navbox-styles"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1129693374"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1236075235"></div><div role="navigation" class="navbox" aria-labelledby="Information_security" style="padding:3px"><table class="nowraplinks mw-collapsible autocollapse navbox-inner" style="border-spacing:0;background:transparent;color:inherit"><tbody><tr><th scope="col" class="navbox-title" colspan="3"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1129693374"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1239400231"><div class="navbar plainlinks hlist navbar-mini"><ul><li class="nv-view"><a href="/wiki/Template:Information_security" title="Template:Information security"><abbr title="View this template">v</abbr></a></li><li class="nv-talk"><a href="/wiki/Template_talk:Information_security" title="Template talk:Information security"><abbr title="Discuss this template">t</abbr></a></li><li class="nv-edit"><a href="/wiki/Special:EditPage/Template:Information_security" title="Special:EditPage/Template:Information security"><abbr title="Edit this template">e</abbr></a></li></ul></div><div id="Information_security" style="font-size:114%;margin:0 4em"><a href="/wiki/Information_security" title="Information security">Information security</a></div></th></tr><tr><th scope="row" class="navbox-group" style="width:1%">Related security categories</th><td class="navbox-list-with-group navbox-list navbox-odd hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Computer_security" title="Computer security">Computer security</a></li> <li><a href="/wiki/Automotive_security" title="Automotive security">Automotive security</a></li> <li><a href="/wiki/Cybercrime" title="Cybercrime">Cybercrime</a> <ul><li><a href="/wiki/Cybersex_trafficking" title="Cybersex trafficking">Cybersex trafficking</a></li> <li><a href="/wiki/Computer_fraud" title="Computer fraud">Computer fraud</a></li></ul></li> <li><a href="/wiki/Cybergeddon" title="Cybergeddon">Cybergeddon</a></li> <li><a href="/wiki/Cyberterrorism" title="Cyberterrorism">Cyberterrorism</a></li> <li><a href="/wiki/Cyberwarfare" title="Cyberwarfare">Cyberwarfare</a></li> <li><a href="/wiki/Electromagnetic_warfare" class="mw-redirect" title="Electromagnetic warfare">Electromagnetic warfare</a></li> <li><a href="/wiki/Information_warfare" title="Information warfare">Information warfare</a></li> <li><a href="/wiki/Internet_security" title="Internet security">Internet security</a></li> <li><a href="/wiki/Mobile_security" title="Mobile security">Mobile security</a></li> <li><a href="/wiki/Network_security" title="Network security">Network security</a></li> <li><a href="/wiki/Copy_protection" title="Copy protection">Copy protection</a></li> <li><a href="/wiki/Digital_rights_management" title="Digital rights management">Digital rights management</a></li></ul> </div></td><td class="noviewer navbox-image" rowspan="3" style="width:1px;padding:0 0 0 2px"><div><figure class="mw-halign-center" typeof="mw:File"><a href="/wiki/File:CIAJMK1209-en.svg" class="mw-file-description" title="vectorial version"><img alt="vectorial version" src="//upload.wikimedia.org/wikipedia/commons/thumb/c/c5/CIAJMK1209-en.svg/150px-CIAJMK1209-en.svg.png" decoding="async" width="150" height="150" class="mw-file-element" srcset="//upload.wikimedia.org/wikipedia/commons/thumb/c/c5/CIAJMK1209-en.svg/225px-CIAJMK1209-en.svg.png 1.5x, //upload.wikimedia.org/wikipedia/commons/thumb/c/c5/CIAJMK1209-en.svg/300px-CIAJMK1209-en.svg.png 2x" data-file-width="496" data-file-height="496" /></a><figcaption>vectorial version</figcaption></figure></div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%"><a href="/wiki/Threat_(computer)" class="mw-redirect" title="Threat (computer)">Threats</a></th><td class="navbox-list-with-group navbox-list navbox-even hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Adware" title="Adware">Adware</a></li> <li><a href="/wiki/Advanced_persistent_threat" title="Advanced persistent threat">Advanced persistent threat</a></li> <li><a href="/wiki/Arbitrary_code_execution" title="Arbitrary code execution">Arbitrary code execution</a></li> <li><a href="/wiki/Backdoor_(computing)" title="Backdoor (computing)">Backdoors</a></li> <li>Bombs <ul><li><a href="/wiki/Fork_bomb" title="Fork bomb">Fork</a></li> <li><a href="/wiki/Logic_bomb" title="Logic bomb">Logic</a></li> <li><a href="/wiki/Time_bomb_(software)" title="Time bomb (software)">Time</a></li> <li><a href="/wiki/Zip_bomb" title="Zip bomb">Zip</a></li></ul></li> <li><a href="/wiki/Hardware_backdoor" title="Hardware backdoor">Hardware backdoors</a></li> <li><a href="/wiki/Code_injection" title="Code injection">Code injection</a></li> <li><a href="/wiki/Crimeware" title="Crimeware">Crimeware</a></li> <li><a class="mw-selflink selflink">Cross-site scripting</a></li> <li><a href="/wiki/Cross-site_leaks" title="Cross-site leaks">Cross-site leaks</a></li> <li><a href="/wiki/DOM_clobbering" title="DOM clobbering">DOM clobbering</a></li> <li><a href="/wiki/History_sniffing" title="History sniffing">History sniffing</a></li> <li><a href="/wiki/Cryptojacking" title="Cryptojacking">Cryptojacking</a></li> <li><a href="/wiki/Botnet" title="Botnet">Botnets</a></li> <li><a href="/wiki/Data_breach" title="Data breach">Data breach</a></li> <li><a href="/wiki/Drive-by_download" title="Drive-by download">Drive-by download</a></li> <li><a href="/wiki/Browser_Helper_Object" title="Browser Helper Object">Browser Helper Objects</a></li> <li><a href="/wiki/Computer_virus" title="Computer virus">Viruses</a></li> <li><a href="/wiki/Data_scraping" title="Data scraping">Data scraping</a></li> <li><a href="/wiki/Denial-of-service_attack" title="Denial-of-service attack">Denial-of-service attack</a></li> <li><a href="/wiki/Eavesdropping" title="Eavesdropping">Eavesdropping</a></li> <li><a href="/wiki/Email_fraud" title="Email fraud">Email fraud</a></li> <li><a href="/wiki/Email_spoofing" title="Email spoofing">Email spoofing</a></li> <li><a href="/wiki/Exploit_(computer_security)" title="Exploit (computer security)">Exploits</a></li> <li><a href="/wiki/Dialer#Fraudulent_dialer" title="Dialer">Fraudulent dialers</a></li> <li><a href="/wiki/Hacktivism" title="Hacktivism">Hacktivism</a></li> <li><a href="/wiki/Infostealer" title="Infostealer">Infostealer</a></li> <li><a href="/wiki/Insecure_direct_object_reference" title="Insecure direct object reference">Insecure direct object reference</a></li> <li><a href="/wiki/Keystroke_logging" title="Keystroke logging">Keystroke loggers</a></li> <li><a href="/wiki/Malware" title="Malware">Malware</a></li> <li><a href="/wiki/Payload_(computing)" title="Payload (computing)">Payload</a></li> <li><a href="/wiki/Phishing" title="Phishing">Phishing</a> <ul><li><a href="/wiki/Voice_phishing" title="Voice phishing">Voice</a></li></ul></li> <li><a href="/wiki/Polymorphic_engine" title="Polymorphic engine">Polymorphic engine</a></li> <li><a href="/wiki/Privilege_escalation" title="Privilege escalation">Privilege escalation</a></li> <li><a href="/wiki/Ransomware" title="Ransomware">Ransomware</a></li> <li><a href="/wiki/Rootkit" title="Rootkit">Rootkits</a></li> <li><a href="/wiki/Scareware" title="Scareware">Scareware</a></li> <li><a href="/wiki/Shellcode" title="Shellcode">Shellcode</a></li> <li><a href="/wiki/Spamming" title="Spamming">Spamming</a></li> <li><a href="/wiki/Social_engineering_(security)" title="Social engineering (security)">Social engineering</a></li> <li><a href="/wiki/Spyware" title="Spyware">Spyware</a></li> <li><a href="/wiki/Software_bug" title="Software bug">Software bugs</a></li> <li><a href="/wiki/Trojan_horse_(computing)" title="Trojan horse (computing)">Trojan horses</a></li> <li><a href="/wiki/Hardware_Trojan" title="Hardware Trojan">Hardware Trojans</a></li> <li><a href="/wiki/Remote_access_trojan" class="mw-redirect" title="Remote access trojan">Remote access trojans</a></li> <li><a href="/wiki/Vulnerability_(computing)" class="mw-redirect" title="Vulnerability (computing)">Vulnerability</a></li> <li><a href="/wiki/Web_shell" title="Web shell">Web shells</a></li> <li><a href="/wiki/Wiper_(malware)" title="Wiper (malware)">Wiper</a></li> <li><a href="/wiki/Computer_worm" title="Computer worm">Worms</a></li> <li><a href="/wiki/SQL_injection" title="SQL injection">SQL injection</a></li> <li><a href="/wiki/Rogue_security_software" title="Rogue security software">Rogue security software</a></li> <li><a href="/wiki/Zombie_(computing)" title="Zombie (computing)">Zombie</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">Defenses</th><td class="navbox-list-with-group navbox-list navbox-odd hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Application_security" title="Application security">Application security</a> <ul><li><a href="/wiki/Secure_coding" title="Secure coding">Secure coding</a></li> <li>Secure by default</li> <li><a href="/wiki/Secure_by_design" title="Secure by design">Secure by design</a> <ul><li><a href="/wiki/Misuse_case" title="Misuse case">Misuse case</a></li></ul></li></ul></li> <li><a href="/wiki/Computer_access_control" title="Computer access control">Computer access control</a> <ul><li><a href="/wiki/Authentication" title="Authentication">Authentication</a> <ul><li><a href="/wiki/Multi-factor_authentication" title="Multi-factor authentication">Multi-factor authentication</a></li></ul></li> <li><a href="/wiki/Authorization" title="Authorization">Authorization</a></li></ul></li> <li><a href="/wiki/Computer_security_software" title="Computer security software">Computer security software</a> <ul><li><a href="/wiki/Antivirus_software" title="Antivirus software">Antivirus software</a></li> <li><a href="/wiki/Security-focused_operating_system" title="Security-focused operating system">Security-focused operating system</a></li></ul></li> <li><a href="/wiki/Data-centric_security" title="Data-centric security">Data-centric security</a></li> <li><a href="/wiki/Code_obfuscation" class="mw-redirect" title="Code obfuscation">Obfuscation (software)</a></li> <li><a href="/wiki/Data_masking" title="Data masking">Data masking</a></li> <li><a href="/wiki/Encryption" title="Encryption">Encryption</a></li> <li><a href="/wiki/Firewall_(computing)" title="Firewall (computing)">Firewall</a></li> <li><a href="/wiki/Intrusion_detection_system" title="Intrusion detection system">Intrusion detection system</a> <ul><li><a href="/wiki/Host-based_intrusion_detection_system" title="Host-based intrusion detection system">Host-based intrusion detection system</a> (HIDS)</li> <li><a href="/wiki/Anomaly_detection" title="Anomaly detection">Anomaly detection</a></li></ul></li> <li><a href="/wiki/Information_security_management" title="Information security management">Information security management</a> <ul><li><a href="/wiki/Information_risk_management" class="mw-redirect" title="Information risk management">Information risk management</a></li> <li><a href="/wiki/Security_information_and_event_management" title="Security information and event management">Security information and event management</a> (SIEM)</li></ul></li> <li><a href="/wiki/Runtime_application_self-protection" title="Runtime application self-protection">Runtime application self-protection</a></li> <li><a href="/wiki/Site_isolation" title="Site isolation">Site isolation</a></li></ul> </div></td></tr></tbody></table></div> <!-- NewPP limit report Parsed by mw‐web.codfw.main‐f69cdc8f6‐sbtsb Cached time: 20241122141212 Cache expiry: 2592000 Reduced expiry: false Complications: [vary‐revision‐sha1, show‐toc] CPU time usage: 0.750 seconds Real time usage: 0.901 seconds Preprocessor visited node count: 3189/1000000 Post‐expand include size: 119197/2097152 bytes Template argument size: 2560/2097152 bytes Highest expansion depth: 17/100 Expensive parser function count: 13/500 Unstrip recursion depth: 1/20 Unstrip post‐expand size: 177113/5000000 bytes Lua time usage: 0.483/10.000 seconds Lua memory usage: 6031717/52428800 bytes Number of Wikibase entities loaded: 0/400 --> <!-- Transclusion expansion time report (%,ms,calls,template) 100.00% 772.772 1 -total 50.54% 390.574 2 Template:Reflist 38.27% 295.719 38 Template:Cite_web 15.13% 116.955 1 Template:Web_interfaces 12.77% 98.706 1 Template:Short_description 9.08% 70.165 2 Template:Pagetype 5.70% 44.017 2 Template:Fix 5.01% 38.745 1 Template:Non-primary_source_needed 3.60% 27.786 3 Template:Category_handler 3.33% 25.736 1 Template:Redirect --> <!-- Saved in parser cache with key enwiki:pcache:idhash:241154-0!canonical and timestamp 20241122141212 and revision id 1258701613. Rendering was triggered because: page-view --> </div><!--esi <esi:include src="/esitest-fa8a495983347898/content" /> --><noscript><img src="https://login.wikimedia.org/wiki/Special:CentralAutoLogin/start?type=1x1" alt="" width="1" height="1" style="border: none; position: absolute;"></noscript> <div class="printfooter" data-nosnippet="">Retrieved from "<a dir="ltr" href="https://en.wikipedia.org/w/index.php?title=Cross-site_scripting&oldid=1258701613">https://en.wikipedia.org/w/index.php?title=Cross-site_scripting&oldid=1258701613</a>"</div></div> <div id="catlinks" class="catlinks" data-mw="interface"><div id="mw-normal-catlinks" class="mw-normal-catlinks"><a href="/wiki/Help:Category" title="Help:Category">Categories</a>: <ul><li><a href="/wiki/Category:Web_security_exploits" title="Category:Web security exploits">Web security exploits</a></li><li><a href="/wiki/Category:Injection_exploits" title="Category:Injection exploits">Injection exploits</a></li><li><a href="/wiki/Category:Hacking_(computer_security)" title="Category:Hacking (computer security)">Hacking (computer security)</a></li><li><a href="/wiki/Category:Client-side_web_security_exploits" title="Category:Client-side web security exploits">Client-side web security exploits</a></li></ul></div><div id="mw-hidden-catlinks" class="mw-hidden-catlinks mw-hidden-cats-hidden">Hidden categories: <ul><li><a href="/wiki/Category:All_articles_with_dead_external_links" title="Category:All articles with dead external links">All articles with dead external links</a></li><li><a href="/wiki/Category:Articles_with_dead_external_links_from_August_2018" title="Category:Articles with dead external links from August 2018">Articles with dead external links from August 2018</a></li><li><a href="/wiki/Category:Articles_with_permanently_dead_external_links" title="Category:Articles with permanently dead external links">Articles with permanently dead external links</a></li><li><a href="/wiki/Category:Articles_with_short_description" title="Category:Articles with short description">Articles with short description</a></li><li><a href="/wiki/Category:Short_description_is_different_from_Wikidata" title="Category:Short description is different from Wikidata">Short description is different from Wikidata</a></li><li><a href="/wiki/Category:Use_mdy_dates_from_June_2019" title="Category:Use mdy dates from June 2019">Use mdy dates from June 2019</a></li><li><a href="/wiki/Category:All_pages_needing_factual_verification" title="Category:All pages needing factual verification">All pages needing factual verification</a></li><li><a href="/wiki/Category:Wikipedia_articles_needing_factual_verification_from_October_2024" title="Category:Wikipedia articles needing factual verification from October 2024">Wikipedia articles needing factual verification from October 2024</a></li></ul></div></div> </div> </main> </div> <div class="mw-footer-container"> <footer id="footer" class="mw-footer" > <ul id="footer-info"> <li id="footer-info-lastmod"> This page was last edited on 21 November 2024, at 03:18<span class="anonymous-show"> (UTC)</span>.</li> <li id="footer-info-copyright">Text is available under the <a href="/wiki/Wikipedia:Text_of_the_Creative_Commons_Attribution-ShareAlike_4.0_International_License" title="Wikipedia:Text of the Creative Commons Attribution-ShareAlike 4.0 International License">Creative Commons Attribution-ShareAlike 4.0 License</a>; additional terms may apply. By using this site, you agree to the <a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Terms_of_Use" class="extiw" title="foundation:Special:MyLanguage/Policy:Terms of Use">Terms of Use</a> and <a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy" class="extiw" title="foundation:Special:MyLanguage/Policy:Privacy policy">Privacy Policy</a>. Wikipedia® is a registered trademark of the <a rel="nofollow" class="external text" href="https://wikimediafoundation.org/">Wikimedia Foundation, Inc.</a>, a non-profit organization.</li> </ul> <ul id="footer-places"> <li id="footer-places-privacy"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy">Privacy policy</a></li> <li id="footer-places-about"><a href="/wiki/Wikipedia:About">About Wikipedia</a></li> <li id="footer-places-disclaimers"><a href="/wiki/Wikipedia:General_disclaimer">Disclaimers</a></li> <li id="footer-places-contact"><a href="//en.wikipedia.org/wiki/Wikipedia:Contact_us">Contact Wikipedia</a></li> <li id="footer-places-wm-codeofconduct"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Universal_Code_of_Conduct">Code of Conduct</a></li> <li id="footer-places-developers"><a href="https://developer.wikimedia.org">Developers</a></li> <li id="footer-places-statslink"><a href="https://stats.wikimedia.org/#/en.wikipedia.org">Statistics</a></li> <li id="footer-places-cookiestatement"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Cookie_statement">Cookie statement</a></li> <li id="footer-places-mobileview"><a href="//en.m.wikipedia.org/w/index.php?title=Cross-site_scripting&mobileaction=toggle_view_mobile" class="noprint stopMobileRedirectToggle">Mobile view</a></li> </ul> <ul id="footer-icons" class="noprint"> <li id="footer-copyrightico"><a href="https://wikimediafoundation.org/" class="cdx-button cdx-button--fake-button cdx-button--size-large cdx-button--fake-button--enabled"><img src="/static/images/footer/wikimedia-button.svg" width="84" height="29" alt="Wikimedia Foundation" loading="lazy"></a></li> <li id="footer-poweredbyico"><a href="https://www.mediawiki.org/" class="cdx-button cdx-button--fake-button cdx-button--size-large cdx-button--fake-button--enabled"><img src="/w/resources/assets/poweredby_mediawiki.svg" alt="Powered by MediaWiki" width="88" height="31" loading="lazy"></a></li> </ul> </footer> </div> </div> </div> <div class="vector-settings" id="p-dock-bottom"> <ul></ul> </div><script>(RLQ=window.RLQ||[]).push(function(){mw.config.set({"wgHostname":"mw-web.codfw.main-f69cdc8f6-tfkkl","wgBackendResponseTime":206,"wgPageParseReport":{"limitreport":{"cputime":"0.750","walltime":"0.901","ppvisitednodes":{"value":3189,"limit":1000000},"postexpandincludesize":{"value":119197,"limit":2097152},"templateargumentsize":{"value":2560,"limit":2097152},"expansiondepth":{"value":17,"limit":100},"expensivefunctioncount":{"value":13,"limit":500},"unstrip-depth":{"value":1,"limit":20},"unstrip-size":{"value":177113,"limit":5000000},"entityaccesscount":{"value":0,"limit":400},"timingprofile":["100.00% 772.772 1 -total"," 50.54% 390.574 2 Template:Reflist"," 38.27% 295.719 38 Template:Cite_web"," 15.13% 116.955 1 Template:Web_interfaces"," 12.77% 98.706 1 Template:Short_description"," 9.08% 70.165 2 Template:Pagetype"," 5.70% 44.017 2 Template:Fix"," 5.01% 38.745 1 Template:Non-primary_source_needed"," 3.60% 27.786 3 Template:Category_handler"," 3.33% 25.736 1 Template:Redirect"]},"scribunto":{"limitreport-timeusage":{"value":"0.483","limit":"10.000"},"limitreport-memusage":{"value":6031717,"limit":52428800}},"cachereport":{"origin":"mw-web.codfw.main-f69cdc8f6-sbtsb","timestamp":"20241122141212","ttl":2592000,"transientcontent":false}}});});</script> <script type="application/ld+json">{"@context":"https:\/\/schema.org","@type":"Article","name":"Cross-site scripting","url":"https:\/\/en.wikipedia.org\/wiki\/Cross-site_scripting","sameAs":"http:\/\/www.wikidata.org\/entity\/Q371199","mainEntity":"http:\/\/www.wikidata.org\/entity\/Q371199","author":{"@type":"Organization","name":"Contributors to Wikimedia projects"},"publisher":{"@type":"Organization","name":"Wikimedia Foundation, Inc.","logo":{"@type":"ImageObject","url":"https:\/\/www.wikimedia.org\/static\/images\/wmf-hor-googpub.png"}},"datePublished":"2003-06-06T11:12:20Z","dateModified":"2024-11-21T03:18:59Z","headline":"type of computer security vulnerability typically found in web applications"}</script> </body> </html>