Understanding XSS Vulnerabilities: Classification, Fixes, and Regression Testing

People with web testing experience are generally aware of XSS (Cross‑Site Scripting) vulnerabilities, but the impact of fixing XSS on functionality and the need for thorough regression testing are often ignored; this article addresses those gaps.

XSS Classification (3 types)

Local (Stored) XSS : An attacker crafts a malicious URL that, when visited, executes JavaScript on the victim’s browser.

Reflected XSS : The server returns user‑supplied data without HTML entity encoding, allowing injected scripts to run in the context of the vulnerable page.

Stored XSS : The malicious payload is saved on the server (e.g., in a micro‑blog post) and executed whenever any user views the stored content.

Examples illustrate how a victim (B) can be tricked into executing malicious scripts that steal cookies, install malware, or exfiltrate sensitive data.

Common Fix Strategies

Escape user input before storing it in a database (e.g., convert <script>alert('c')</script> to escaped form).

Apply escaping at the view layer, controller layer, or JavaScript layer depending on the MVC framework used.

Escaping Characters Reference

Character

Escaped Form

"

"

&

&

Space

 

<

&lt;

>

&gt;

Browser Rendering Mechanism

The browser only renders escaped characters that appear in visible content; for example, & is displayed as &.

Key Practical Points (7 items)

Both server‑side and client‑side code must be inspected to avoid double‑escaping, which would render stray & sequences.

Search input should not be escaped before processing, otherwise search results may be missed.

Dynamic HTML generated on the client must be escaped before insertion into the DOM.

When generating HTML fragments dynamically, escape before generation, not after, to ensure the intended markup works.

Hidden fields and values (e.g., URLs with &) must be escaped correctly; otherwise double‑escaping can corrupt stored URLs and break downstream logic.

All server‑generated data displayed on the page—including data placed in value or hidden attributes—must be escaped, even if not immediately visible.

Special attention is required for URL parameters and other non‑text data types that contain characters like &.

Neglecting these considerations can lead to severe security issues and functional regressions after XSS fixes.