Despite being rare, they may cause serious problems and only a few scanners can detect them. Never put untrusted data into your HTML input, unless you follow the rest of the steps below. Putting dynamic data within JavaScript code is especially dangerous because JavaScript encoding has different semantics for JavaScript encoded data when compared to other encodings. Validate all data that flows into your application from the server or a third-party API. This type of attack is explained in detail in the following article: DOM XSS: An Explanation of DOM-based Cross-site Scripting. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. At a basic level XSS works by tricking your application into inserting a