[bastawhiz]

An XSS issue could make your users' data vulnerable.

[oneweekwonder]

But cors[0] headers can mitigate some of the risk?

[0]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

[amenghra]

You want CSP headers to mitigate XSS risks.

[thefreeman]

Not really. CORS headers are set by the destination of the XHR. In the case of XSS it would be an attacker controlled server used to exfiltrate user cookies, etc.

[zaarn]

Your backend should be double-checking any escaping the frontend does.

Otherwise you can throw your fancy anti-XSS on the frontend in the bin.

Also CSP helps.

[merb]

is still only an issue if you pass untrusted data to your js code.

[Klathmon]

And there is a pretty good chance of that happening in most JS projects.

Anywhere you take or show input from the user (an input box, a URL query, displaying data stored by some other system on the DB, etc...) could be a vector for an XSS attack.

And it's not just data passed to JS, but data passed to HTML or any data that could make it's way into CSS in many cases!

[sakshyamshah]

turns out that most of times, untrusted user supplied data slips through JS codes https://www.owasp.org/index.php/Top_10_2017-Top_10