XSS

Cross-Site Scripting (XSS) attacks happen when malicious code is injected into a web page and executed by the user's browser.

XSS can be used to steal sensitive information, such as cookies, session tokens, or credit card details. And by stealing session tokens, attackers can gain unauthorized access to a user's account. Attackers can also use XSS to modify the appearance of a website or display malicious content.

To mitigate this risk, avoid placing untrusted content, such as user-generated content, directly into HTML. Instead, use a suitable template library or encode the content appropriately. In libraries like React, content is always encoded unless you use dangerouslySetInnerHTML, so exercise caution with that method.