This document discusses cross-site scripting (XSS) attacks and methods to prevent them. XSS attacks often target sites that store usernames and passwords in cookies. Attackers can steal user cookies by injecting malicious JavaScript. Defenses include properly filtering all untrusted input, using HTML scrubbers to remove dangerous tags and attributes, and keeping software up to date. The document also notes there are legitimate uses of mashups and JavaScript.