Why is the Samy Worm considered XSS?

XSS has a weird name. You don't need multiple websites for it.

XSS essentially the html equivalent of SQL-injection. When a website outputs some attacker controlled text into a html document without encoding entities like <, > or " the attacker can inject hostile javascript into the html document which will run in the context of that document.

If you think of it as HTML-injection or javacript-injection it becomes much clearer what it is.


XSS has always been a misnomer. It really should have always been called "HTML injection" or "web page markup injection" or "web page script injection".

One of the main potential results of script injection is indeed arbitrary cross-site scripting, which really just means cross-domain scripting. But of course, "web application worms" of this nature stay entirely within their own domain.