Cross-site scripting (XSS) is an attack that injects malicious scripts into web pages viewed by other users. It works by including malicious JavaScript code in the response body of a request that gets executed when the response is received. Defenses include validating, encoding, and sanitizing all untrusted data to prevent it from being rendered as active content.