An attacker can steal or hijack a user’s session by executing scripts in the victim’s web browser. Attackers cause the victim’s session ID to be sent to the attacker’s web site, thus letting them hijack the victims’ session. Hackers can also insert negative content, deface your web site or redirect users to malicious sites.
One of the best things you can do to avoid falling prey to XSS is to ensure that you validate all user input sent to the browser. If you encode output properly, user input is treated as text instead of active content that can be executed. You should use data escaping techniques to escape all untrusted data based on their HTML context. If the applications user interface framework doesn’t do this for you, the developers must include the escaping logic in their code. Your application may need to accept special characters, so a positive or white list form of input validation is not always effective. Your application must be able to decode encoded input and validate the data before accepting it
You can detect XSS flaws through performing a vulnerability test through an automated tool or by analyzing your code. Note that it’s not easy to detect XSS flaws in Web 2.0 technologies.