XSS attacks use third-party web resources to run scripts in the victim’s web browser or scriptable application.
Specifically, the attacker injects a payload with malicious JavaScript into a website’s database. When the victim requests a page from the website, the website transmits the page, with the attacker’s payload as part of the HTML body, to the victim’s browser, which executes the malicious script.
For example, it might send the victim’s cookie to the attacker’s server, and the attacker can extract it and use it for session hijacking.
Mitigations For Cross-Site Scripting:
Whitelist values.
Escape Dynamic content.
Sanitize HTML.
Implement a content security policy.
Giving users the option to disable client-side scripts.