Translations:Cross-site scripting/11/en

Victims do not even have to directly visit the page to be affected. Malicious 3rd party websites can embed hidden iframes to crafted urls to attack a user while vising a website of theirs. As well they may be tricked into visiting a malicious or crafted url using short url services or disguising the url as another.