To do this, for the question "Describe your Ideal First Date", Mallory gives a short answer (to appear normal) but the text at the end of her answer is her script to steal names and emails.
If the script is enclosed inside a Contextual output encoding/escaping could be used as the primary defense mechanism to stop XSS attacks.
Microsoft security-engineers introduced the term "cross-site scripting" in January 2000.
The expression "cross-site scripting" originally referred to the act of loading the attacked, third-party web application from an unrelated attack-site, in a manner that executes a fragment of Java Script prepared by the attacker in the security context of the targeted domain (taking advantage of a reflected or non-persistent XSS vulnerability).
Although widely recommended, performing HTML entity encoding only on the five XML significant characters is not always sufficient to prevent many forms of XSS attacks.
As encoding is often difficult, security encoding libraries are usually easier to use.) will not suffice since the user input needs to be rendered as HTML by the browser (so it shows as "very large", instead of "very large").
A reflected attack is typically delivered via email or a neutral web site.
For example, suppose there is a dating website where members scan the profiles of other members to see if they look interesting.
A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.
A classic example of a potential vector is a site search engine: if one searches for a string, the search string will typically be redisplayed verbatim on the result page to indicate what was searched for.
If this response does not properly escape or reject HTML control characters, a cross-site scripting flaw will ensue.