XSS Vulnerability Examples

VULNERABLE: Reflected XSS

SECURE: Using textContent

SECURE: DOMPurify HTML Sanitization

SECURE: Server-Side HTML Escaping

XSS Prevention Checklist

✓ Never use innerHTML with user input - use textContent instead
✓ Use established sanitization libraries (DOMPurify, bleach, etc.)
✓ HTML-escape on server side before sending to client
✓ Use Content-Security-Policy headers to block inline scripts
✓ Validate and whitelist input on both client and server
✓ Use template engines that auto-escape by default
✓ Avoid eval(), Function(), setTimeout(string), setInterval(string)
✓ Set X-Content-Type-Options: nosniff header
✓ Use HttpOnly and Secure flags on session cookies
✓ Test with OWASP ZAP or Burp Suite for XSS vulnerabilities