How do I fix CWE-79 (Cross-Site Scripting (XSS))?

Encode all user output using context-appropriate encoding (HTML, JavaScript, URL, CSS). Implement Content Security Policy (CSP) headers. Use framework auto-escaping (React JSX, Angular templates). Validate and sanitize input on the server side. Use HttpOnly and Secure flags on session cookies

Fix GuideInjection

How to Fix CWE-79: Cross-Site Scripting (XSS)

Verified by Precogs Threat Research

The application includes untrusted data in web pages without proper validation or escaping, allowing attackers to execute scripts in victim browsers.

⚠️ Impact if Unpatched

Session hijacking, credential theft, defacement, malware distribution, phishing.

Step-by-Step Remediation

Encode all user output using context-appropriate encoding (HTML, JavaScript, URL, CSS)
Implement Content Security Policy (CSP) headers
Use framework auto-escaping (React JSX, Angular templates)
Validate and sanitize input on the server side
Use HttpOnly and Secure flags on session cookies

Code Example

❌ Vulnerable

// VULNERABLE: Direct insertion of user input
element.innerHTML = userInput;

✅ Fixed

// SAFE: Use textContent (auto-escapes)
element.textContent = userInput;
// Or use DOMPurify for HTML content
element.innerHTML = DOMPurify.sanitize(userInput);

Don't just patch one instance.

Scan your entire codebase for all instances of Cross-Site Scripting (XSS).

Scan for Free with Precogs AI →

Recent Vulnerabilities (CWE-79)

180 vulnerabilities in our database match Cross-Site Scripting (XSS).

CVE-2026-33932: Stored XSS in OpenEMR CCDA document preview before 8.0.0.3. Improper sanitizatio

CVSS 7.6

CVE-2026-33933: Reflected XSS in OpenEMR custom template editor before 8.0.0.3. Allows attackers

CVSS 6.1

CVE-2018-25210: CVE-2018-25210: WebOfisi E-Ticaret Cross-Site Scripting (XSS)

CVSS

CVE-2026-4847: CVE-2026-4847: Cross-Site Scripting in muucmf

CVSS

CVE-2026-4848: CVE-2026-4848: Cross-Site Scripting in muucmf Admin Panel

CVSS

CVE-2026-4849: CVE-2026-4849: Cross-Site Scripting in Simple Laundry System

CVSS

CVE-2025-10573: Stored XSS in Ivanti Endpoint Manager

CVSS 7.5

CVE-2026-4510: A weakness has been identified in PbootCMS up to 3.

CVSS 4.3

CVE-2026-4161: The Review Map by RevuKangaroo plugin for WordPress is vulnerable to Stored Cros

CVSS 4.4

CVE-2026-4086: The WP Random Button plugin for WordPress is vulnerable to Stored Cross-Site Scr

CVSS 6.4

View all 180 vulnerabilities →