/

/

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS)

Cross-site scripting (XSS) is a security vulnerability where an attacker injects malicious script into a page that other users' browsers then execute.

Category

Bloomreach Dev

Also known as

XSS; cross site scripting

It is relevant in a Bloomreach context because weblayers and Jinja templates inject HTML and JavaScript into live pages. Rendering unescaped user or catalog data into that markup can open an XSS vulnerability, which is one reason template fields are scanned and why escaping matters.

In practice

Never render untrusted data into a weblayer or template without escaping it. If a value could contain markup, encode it as an HTML entity or use the platform’s escaping, and treat any field that reaches the page as a potential injection point.

Discuss this term

A question, a bug, or outdated info? Tell us — it goes straight to the team, and we keep the glossary current.