I know that XSS happens because of malicious data/script injected into a webpage before sending to the client and it appears as if it came from the original site. It does lot of damages to the user like password theft, credit card sniff etc.
Can you tell me how to avoid this:
1. During development? 2. During run-time by the user/client?
If you want to try use XSS, cookie stealing and other web hacking things (and it really helps to understand how to prevent it), go to http://www.hackthissite.org , register and go through "realistics mission" chalenges. there are fun, and educational
Well the only way that code can get injected into a page that affects other users is if you let it happen. You need to strip out script tags, and escape user input if it is being displayed for everyone to view.