XSS attacks are understood broadly in two forms: the stored XSS and reflected XSS. Stored XSS is where the malicious code is recorded and stored in the database. The resulting information disclosure is persistent agnostic of the user. It is a high-severity vulnerability. Reflected XSS, on the other hand, is an ephemeral attack, where only a specific user may experience the result of the malicious code, which is not stored on the database and arises from misconfiguration on the webpage. As it is much smaller and requires serious intervention to be further exploited, reflected XSS is generally considered a low severity vulnerability.
Most software frameworks for webpages currently include built-in XSS protections, and the vulnerability is also easy to identify through automated security scanners or penetration tests. However, as best practice, all input fields or other webpage artefacts that rely on user interaction must be sanitised. In other words, they must only accept legitimate inputs by stripping characters that identify malicious code to prevent such attacks.