What is Cross Site Scripting?

Cross Site Scripting ("XSS") is a is a type of security vulnerability that can be found in Web Applications that enables bad actors to inject client-side code into web pages that get's executed by other users.

How does XSS work?

XSS works by abusing text inputs that arent properly filtered and get's rendered as part of the html code instead of a string. A XSS attack may inject code that steals user credentials.

How to identify vulnerable spots

PHP: Spots where the website gets user input without filtering it with htmlspecialchars()

<?php
.$query = $_GET["search"];
.echo "You've searched for: " . $query
?>

Javascript: Spots where user input get's rendered with .innerHTML instead of .innerText

const query = document.getElementById("search");
document.getElementById("res").innerHTML = query;