Cross-site scripting (XSS) is a prevalent security concern in untamed web applications, especially those within the confines of a container. XSS is the most widely used vulnerability attack in this space. An attacker can use XSS to inject client-side scripts into the pages viewed by other users. Once on the page, these scripts can be used to bypass access controls like the same-origin policy.
The consequences of working with a site that is running XSS can range from simple annoyance all the way up to a serious security vulnerability that allows the attacker to capture login details, credit card information, the user’s personal profile data, or any number of other private interactions that take place online.
A simple example of XSS is the implementation of advertising on a web application, which allows the third-party advertiser to run some frontend code within the site. Advertising is a form of self-inflicted XSS, but in most cases the website can trust that the advertiser won’t do anything malicious.
Even though this is a standard security vulnerability with web applications, it reinforces the need for some measure of application control when third-party code and applications are running within a social networking container.