Attacker inputs JS code on our page Usually through HTML forms (discussion, registration, search) Also URL, RSS rolls, e-mails, ... Not only JS - also design is important Stealing session data Altering page design HTML invalidity Escape all untrusted data, better on output Usage by other applications Input from other applications Trimming caused by longer escaped data Don't use %strip_tags()% May want to write tags literally It's strange to use entities With two parameters - style and JS events Use %htmlspecialchars()% or templates Data displayed to other users (security) Data displayed to user himself (usability) Our own trusted data (phishing) Write a PHP script to steal sessions Steal sessions on unsecured site Steal sessions on site protected with %strip_tags()% http://php.vrana.cz/cross-site-scripting.php