Cross Site Scripting (or XSS) is one of the most common application-layer web attacks. XSS commonly targets scripts embedded in a page which are executed on the client-side (in the user’s web browser) rather than on the server-side. XSS in itself is a threat which is brought about by the internet security weaknesses of client-side scripting languages, with HTML and JavaScript (others being VBScript, ActiveX, HTML, or Flash) as the prime
culprits for this exploit. The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user. Such a manipulation can embed a script in a page which can be executed every time the page is loaded, or whenever an associated event is performed.In a typical XSS attack the hacker infects a legitimate web page with his malicious client-side script. When a user visits this web page the script is downloaded to his browser and executed. There are many slight variations to this
theme, however all XSS attacks follow this pattern
Cross-site scripting (XSS) is a method of injecting web code into a web site or HTML-formatted email in order to gain access to user data.

How Cross-Site Scripting works

The goal with XSS is to obtain user information associated with the web site, such as their username and password, and any additional information such as billing information. XSS is also used for cookie stealing,changing of user settings and account hijacking.
It works by relying on a web site having a XSS-vunerability,or by a user clicking on a link on another web site or in an email while logged in to a particular web site such as Facebook.
Web sites that offer a way for visitors to enter data should be checking that what is being entered is just text and not code (this is known as code injection).
As a basic example, a web site that lets you enter text to be  posted on the site's web pages should be checking that what you entered is just  text and not web code, otherwise the web pages being generated could be making  public or distributing your information to a third party.
XSS has been around for many years and has grown to encompass  attacks using all sorts of web page objects such as Flash, Java, Javascript,  VBScript and ActiveX.


Article source:http://www.acunetix.com/websitesecurity/xss.htm
Article source:http://www.detoxcomic.com/articles/cross-site-scripting.html