Cross-site scripting attacks web applications where there is malicious client-side scripting or HTML. If the web application includes a malicious script, then the attacker can use the web application as an intermediate layer and make the trusted user a victim of the attack. A cross-site scripting weakness occurs when dynamically-generated web pages display invalidated, unfiltered, and non-encoded user input, allowing an attacker to embed malicious scripts into the generated page. This can be leveraged to execute the scripting code as if it came from the site's server on to the computer of anyone who used the site.
The Force.com platform has several methods to protect from XSS attacks, which are as follows: