1 article with this tag
XSS makes an attacker-supplied string run 'as script' in another user's browser — straight to session theft and impersonation. The real defense is escaping on output. Don't disable your framework's auto-escaping.