SecureStartKit
SecurityFeaturesPricingDocsBlogChangelog
Sign inBuy Now
Home/Glossary/XSS
Vulnerability Patterns

XSS(Cross-Site Scripting)

Also known as: Cross-Site Scripting, stored XSS, reflected XSS

Definition

XSS (Cross-Site Scripting) is a vulnerability where attacker-controlled content reaches a page and executes as JavaScript in the victim's browser. React mitigates XSS by default through JSX escaping, but the raw-HTML escape-hatch prop, raw HTML in MDX, and trusted-data assumptions still create injection paths.

What is XSS?

XSS happens when user input or other untrusted data is rendered into HTML without escaping, and the rendered output contains a <script> tag or an event handler attribute that the browser executes. The attacker's script then runs in the victim's session and can read cookies, exfiltrate data, or make authenticated requests.

How does React prevent XSS by default?

JSX automatically escapes <, >, &, ", and ' when rendering text values. Writing <div>{userInput}</div> is safe even if userInput contains a script tag. The escape pass turns the tag into harmless text. The exception is React's prop for injecting raw HTML strings, which intentionally bypasses escaping and must never be used on user-controlled values.

What is a nonce-based CSP?

A defense-in-depth layer. Even if XSS injects a <script> tag, the browser refuses to execute it unless the tag carries a server-generated nonce that matches the CSP header. A Routing Middleware generates the nonce per request, the server-rendered tags include it, and attacker-injected tags lack it. This is the architectural fix recommended in the 12-step hardening checklist.

Learn more

  • CSRF, XSS, SQL Injection Prevention in Next.js
  • Next.js Security Hardening Checklist
  • XSS via dangerouslySetInnerHTML: the fix

Related terms

  • CSPCSP (Content Security Policy) is an HTTP response header that tells the browser which sources of scripts, styles, images, and other resources are allowed to load on a page. A well-configured CSP blocks injected scripts even if an XSS vulnerability exists in the application code.
  • CSRFCSRF (Cross-Site Request Forgery) is an attack where a malicious site causes the victim's browser to send a request to a target site using the victim's existing session cookies. In Next.js App Router, Server Actions defend against CSRF by checking the Origin header against the Host on every POST.
  • OWASP Top 10The OWASP Top 10 is the consensus list of the ten most critical web application security risks, updated by the Open Worldwide Application Security Project. The 2025 edition (current as of 2026) includes Broken Access Control as A01, Cryptographic Failures as A02, and a new A10 for Mishandling of Exceptional Conditions.
← Back to full glossary