Ah, I just replied to you on Twitter, but I’m glad you posted here because it will help others.
Here was my Twitter reply:
Ben Halpern 🤗
@bendhalpern
@TiffanyW_412 XSS typically refers to JavaScript included in the HTML another user will load. Say if, instead of encoding and parsing <script>alert("hello")</script>, Twitter actually evaluated it.
Twitter cleanses all text and makes sure the browser doesn’t treat it like HTML.
Ah, I just replied to you on Twitter, but I’m glad you posted here because it will help others.
Here was my Twitter reply:
And here’s that scenario in practice:
My All-Time Favorite Demonstration of a Cross-Site Scripting Attack
Ben Halpern
Thanks Ben. Reading up on it some more.
Awesome. Other folks might be able to add other explanations or analogies which could add more color.