Cross-site Script, Reflected
A perennial of the rosaceae family — first observed in the early 2000s, this specimen thrives wherever untrusted input is rendered without escape. Recognisable by its pale, eager bloom in URL parameters.
The reflected variant returns its payload immediately, like a startled bird. To press it safely, render output through a templating layer that escapes by default, and refuse to render raw HTML from query strings. Where the soil is rich (search pages, error messages), it spreads quickly; treat with care.
// Vulnerable bloom
res.send(`<p>Hello, ${req.query.name}</p>`);
// Pressed and preserved
res.send(`<p>Hello, ${escape(req.query.name)}</p>`);Plate I. — XSS reflectus, in situ. Pressed by the gardener, 4 May.