An attack where someone submits text containing a script, and your app renders it as live HTML so every visitor's browser runs the attacker's code. Modern frameworks like Svelte escape output by default, which prevents it automatically.