XSS vulnerabilities allow attackers to inject malicious scripts into web pages viewed by other users. These scripts can hijack user sessions, deface websites, or steal sensitive information.
# Vulnerable code (unsanitized user input in HTML output)
message = request.getParameter("message")
html = "<div>" + message + "</div>"
response.write(html)
# Secure code (sanitizing user input)
import html
message = request.getParameter("message")
sanitizedMessage = html.escape(message)
html = "<div>" + sanitizedMessage + "</div>"
response.write(html)