A Cross-site scripting (XSS) type of attack allows hackers to inject malicious client-side scripts into web applications. Once the script is injected into a trusted website, it has access to the user's sensitive information such as cookies, the content of the page, and others.
To guard our Express applications against this type of attack, we should employ the following techniques:
Validate data sent by the user (input)
Sanitize output stored on the backend, such as into a database
Enable content-security policy
We should always try to validate data sent by the users before processing it. In some situations, we can validate it against a list of known values, but this isn't always the case.
A handy module to do validation is express-validator (https://www.npmjs.org/package/express-validator), which has all sorts of functions built in.