Cross-site scripting (XSS) allows attackers to inject code into web pages viewed by other users. This security vulnerability can be exploited by malicious web users to bypass access controls.
The actual attack occurs when the victim visits the web page or web application that executes the malicious code. The web page or web application becomes a vehicle to deliver the malicious script to the user’s browser.
Most of the time the malicious scripts are injected through
FORM Parameters (GET and POST parameters)
AEM applies the principle of filtering all user-supplied content upon output. The XSS protection mechanism provided by AEM is based on the AntiSamy Java Library provided by OWASP.