Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
This weakness occurs when user input is displayed on a web page without removing or escaping HTML tags and JavaScript event handlers. An attacker can inject…
This weakness occurs when user input is displayed on a web page without removing or escaping HTML tags and JavaScript event handlers. An attacker can inject malicious scripts that execute in the browsers of other users, potentially stealing session cookies, redirecting visitors, or defacing content. It is one of the most common and dangerous web vulnerabilities.
02How It Happens
Web applications often accept user input—from form fields, URL parameters, database records, or API responses—and display it directly in HTML output. If the application does not escape or sanitize this input, an attacker can embed <script> tags or event handler attributes (like onclick, onload, onerror) into the input. When the page is rendered in a browser, the injected code executes with the same privileges as the legitimate page, allowing the attacker to perform actions on behalf of the user or steal sensitive information.
The vulnerability typically arises from a false assumption that user input is "safe" or from incomplete filtering that blocks only obvious patterns (e.g., the string "script") while missing variations or event handlers.
03Real-World Impact
An attacker exploiting this weakness can steal authentication tokens or session cookies, allowing account takeover. They can redirect users to phishing sites, inject malware, or modify page content to spread misinformation. In multi-user applications, a single injection point can compromise many visitors. The impact ranges from minor defacement to complete loss of user trust and regulatory violations if sensitive data is exposed.
Why it's vulnerable: The user_comment variable is inserted directly into HTML without any escaping. An attacker can pass text=<script>alert('XSS')</script> and the script will execute in the browser.
Why it's vulnerable: The $user_comment variable is echoed directly into the HTML. An attacker can inject <img src=x onerror="alert('XSS')"> and the event handler will execute.
Always escape output: Use context-aware escaping functions (htmlspecialchars() in PHP, escape() in Flask/Jinja2, or equivalent in your framework) whenever displaying user input or untrusted data in HTML.
Use a templating engine: Modern frameworks (Django, Jinja2, Blade, Twig) escape output by default; avoid string concatenation for HTML generation.
Implement a Content Security Policy (CSP): Set Content-Security-Policy headers to restrict inline script execution and limit script sources to trusted domains.
Validate input on the server side: Reject or sanitize input that contains unexpected HTML tags or event handlers, even though escaping is the primary defense.
Use allowlists for user-generated HTML: If rich text is required, use a library like DOMPurify or bleach to strip dangerous tags while preserving safe formatting.
Test with common XSS payloads: Regularly test input fields with variations like <script>, <img onerror>, <svg onload>, and javascript: URLs to catch gaps in escaping.
06Signs You May Already Be Affected
Check your application logs and user-submitted content for unusual HTML tags, script tags, or event handler attributes. If you find comments, forum posts, or profile fields containing <script>, onerror=, onclick=, or similar patterns, your application may not be escaping output correctly. Additionally, if users report unexpected pop-ups, redirects, or page modifications when viewing certain content, investigate whether injected scripts are present.