The only method for the attacker to run his mean JavaScript in the victim's browser is to insert it into one of the pages that the victim downloads from the website. This can happen if the website nonstop includes user input in its pages, because the attacker can then insert a thread that will be treated as code by the victim's browser.
In the example below, a simple server-side script is used to display the latest comment on a website:
print
"<html>"print
"Latest comment:"print database.latestComment
print
"</html>"
The script accepts that a comment consists only of text. However, since the user input is included directly, an attacker could give in to this comment: "
<script>...</script>
". Any user visiting the page would now accept the following reply:
<html>
</html>
Latest comment:
<script>...</script></html>
When the user's browser loads the page, it will perform whatever JavaScript code is controlled inside the
<script>
tags. The attacker has now do well with his attack.