XSS

Cross-Site Scripting (XSS) is a flaw where an application reflects untrusted input back into a page without escaping it, so an attacker's JavaScript runs in your visitors' browsers — stealing sessions, rewriting the page, or keylogging. The fixes are output-encoding everything you render and deploying a strict Content-Security-Policy as a backstop.