Easy example: a webpage is text, which is often created by code. But a webpage can also have JavaScript code in it. So, if the code which makes the webpage is faulty, a malicious user could insert JavaScript code, that all the webpage’s visitors will execute.

This fake server code adds a user’s review to the webpage for a product on a shopping site:

file = open(‘products/’ + submission[‘product_code’]);
file.append(‘<div class=”review_user”>{}</div>”.format(user.name))
file.append(‘<div class=”review_body”>{}</div>’.format(submission[‘review_body’]))

There are two vulnerabilities here, but the one I want to point out is that the review content and user’s name are inserted right into the page, without first clearing away any HTML syntax they might contain. If the user submits a review which contains HTML syntax starting with `</div><script>`, they can embed their own JavaScript into the webpage:

<div class=”review_body”></div><script>alert(“hello!”);</script>

Once this is inserted into the product page, any user that visits this page will see a dialogue box that says “hello!” But JavaScript isn’t limited to just useless dialogue boxes. If you inserted JavaScript that submits a request to change the user’s password, any user visiting that page would have their account taken over.

See if you can spot the second vulnerability: it’s similar to the first one.