| ||
Any application that has the following pattern is at risk of cross-site scripting:
The web application takes input from an HTTP entity such as a querystring, header, or form.
The application does not check the input for validity.
The application echoes the data back into a browser.