Cross-site scripting (XSS)
Cross-site scripting (XSS) is a security exploit that allows an attacker to inject into an otherwise benign and trusted website malicious client-side code. This code is executed by the victims and lets the attackers bypass access controls and thereby impersonate users. These attacks succeed if the Web app does not utilize sufficient validation or encoding. The browser of the user cannot detect the malicious script is untrustworthy, and as a result, allows access to any cookies, session tokens, or other sensitive site-specific information, or lets the malicious script rewrite the HTML content.
How we avoid XSS attacks
All user output is either in a text binding (which does not execute JavaScript) or in a CKEditor binding (if it is a rich text field) which does not execute scripts.