When does an XSS flaw occur?

An XSS (Cross-Site Scripting) flaw occurs when untrusted data is sent to a browser without validation. This vulnerability arises because, when data from an untrusted source — such as user input, external APIs, or third-party components — is not properly validated or sanitized, it can be executed by the user's browser as executable script code. Attackers can exploit this weakness to inject malicious scripts into web pages viewed by other users.

When this untrusted data is processed without validation, it might include executable JavaScript or other code that compromises the security of the web application, leading to potential attacks like session hijacking, data theft, or defacement of the website. Proper validation and sanitization are crucial in preventing XSS flaws, ensuring that any data that could be manipulated is secured before it is rendered in a web browser, thus protecting both the application and its users from these vulnerabilities.