Browsers render HTML, run JavaScript, and parse CSS. When a server drops user input into a page without escaping it, the browser can read that input as markup or script instead of text. Data becomes code.
This is Cross-Site Scripting (XSS). It comes in three flavors:
This module walks through how each type shows up and how small input-handling mistakes lead to full client-side compromise.
