Translations:Cross-site scripting/11/en

Victims do not even have to directly visit the page to be affected. Malicious 3rd party websites can embed hidden iframes to crafted URLs to attack a user while visiting a website of theirs. As well they may be tricked into visiting a malicious or crafted URL using short URL services or disguising the URL as another.