What is cross site scripting?
Let’s take a simple example to understand this, lets say you have the below URL and you are submitting the request to server using the GET method
and after submitting this request your web site storing the same into database and also executing the same request server side as well as client side.
What hackers do, they change the URL like shown below and submit the same
So, when you take this data from database or read it from query string then system will show the alert message with “Gotcha!” as the text.
Solution to XSS:
Sanitize the data while storing the same into database or retrieving it from database.
Sometimes HTML must allowed (Content Management System), use the concept of Black listing and White listing in order to allow / prevent the tags to be used along with content being displayed on the site.
Recommended solution is to use the White Listing solution for CMS tags. Apart from these tags sanitize everything else.