Cross site scripting is a vulnerability in which malicious scripts are injected into the websites which can lead to a total breach of security when customer details are stolen or manipulated.
XSS can be found anywhere in an application where user input has been taken but not properly encoded. The injected script will be sent to users when the browser executes the script, and a malicious action is performed on the client side which can be used to steal user credentials.
For more information on XSS:- OWASP guide on XSS
The preferred option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into.
Positive or “whitelist” input validation is also recommended but is not a complete defense as many applications require special characters in their input. Such validation should validate the length, characters, format and business rules on that data before accepting the input.
For more details:OWASP Cross Site Scripting Prevention Cheat Sheet
XSS Filter Evasion Cheat Sheet
Top 10 2013 A3 Cross-Site Scripting(XSS)