Cross-site scripting (XSS)

Comes from echoing user input back to browser without properly handling HTML elements
Common mistake is to put user input into error message:
- - Unknown input <script>alert(“XSS”)</script>
Attacker controls Javascript sent by your app
Can be used to send cookie or other sensitive information to attacker-controlled sites

Comes from echoing user input back to browser without properly handling HTML elements