# Cross site script (XSS)

This is the way that hacker can pass the script like `Javascript` into our system or database.

#### Example

<img src="/files/nxbSKSsUxnsrgFtncLCN" alt="" class="gitbook-drawing">

1. We have a database that store comments in plain text without validation input
2. Hacker send the script as a text for input then we store it in DB
3. After client open the website to view the comment then the script will be run.

#### How to Protect

1. Input validation to protect script
2. Encode data before  render html -> Modern framework already handle it such as React it will escapes special characters by default.
3. Add header `Content Security Policy(CSP)`-> to determine with kind of JS script can run&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dev7days.gitbook.io/dev7days/backend-security/cross-site-script-xss.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.