To understand what Cross Site Scripting is, let's see a usual situation, common to many sites.
Let's say we are taking some information passed in on a querystring (the string after the (?) character within a URL), with the purpose of displaying the content of a variable, for example, the visitor's name:
As we can see in this simple querystring, we are passing the visitor's name as a parameter in the URL, and then displaying it on our "welcomepage.php" page with the following PHP code:
echo ‘Welcome to our site ' . stripslashes($_GET[‘name']);
The result of this snippet is shown below:
Welcome to our site John
This is pretty simple and straightforward. We're displaying the content of the "name" variable, by using the $_GET superglobal PHP array, as we have done probably hundreds of times. Everything seems to be fine. Now, what's wrong with this code? Nothing really. But let's modify the querystring by replacing our visitor's name passed in the URL:
with something like this:
(‘Hey, you are going to be hijacked!');</script>
Do you remember the PHP code included in our "welcome.php" page? Yes, you're correct. When we modify the querystring, the following code is executed:
echo ‘Welcome to our site ‘ .
to be hijacked!');</script>