Many modern web applications are complex programs. Such programs are not limited to server-side code that runs on the web server. Instead, web applications may include a significant amount of (script) code that is sent to and executed on the client, whereby such client-side components provide for a rich and fast user experience.
Client-side components also often contain parts of the application logic, and typically communicate with the server-side component through asynchronous JavaScript® calls. As a result, attackers may find entry points that can be exploited to inject unwanted parts into the script output.
Cross-site scripting (XSS) flaws are one of the most common types of vulnerabilities that are leveraged by attackers to compromise a web application and its users. A large set of cross-site scripting vulnerabilities originate from the browser's confusion between data and code. That is, data that is provided as input to web applications by an attacker is actually code that is later sent to a clients' browser, where it is then interpreted as code and executed. It is difficult if not impossible to force developers to design web applications in a way that clearly separates code and data.