Cross-Site Scripting, or XSS, is a security problem where attackers put harmful code (usually JavaScript) into a website, and that code runs in the browser of people who visit the site.

How it works

If a website doesn't carefully check user input, an attacker can sneak in a script inside a comment, form, or URL. When another user opens the page, the browser executes the script as if it were safe content. This can steal cookies, change what the page shows, or trick the user.

Analogy

Imagine a public notice board where anyone can pin a note. If nobody checks, someone could post a fake official message with a hidden trap. People reading it think it's normal, but the trap quietly steals their info. That's what XSS does on a website.