A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

There are several escaping schemes that can be used depending on where the untrusted string needs to be placed within an HTML document including HTML entity encoding, Java Script escaping, CSS escaping, and URL (or percent) encoding.

Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS attacks in a fairly straightforward manner.

A reflected attack is typically delivered via email or a neutral web site.

The bait is an innocent-looking URL, pointing to a trusted site but containing the XSS vector.

XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.

Security on the web depends on a variety of mechanisms, including an underlying concept of trust known as the same-origin policy.

A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read.

For example, suppose there is a dating website where members scan the profiles of other members to see if they look interesting.

This essentially states that if content from one site (such as https://mybank.example1.com) is granted permission to access resources (like cookies etc) on a browser, then any content from that site will share these permissions, while content from another site (https://othersite.example2.com) will have to be granted permissions separately.