Severity: Medium to Critical
Stored XSS (Cross-Site Scripting) occurs when user input is stored in a database, file, or other location and later sent to the browser without proper sanitization.
User input should always be encoded prior to output. If the user input is being inserted into a script tag, it must be in string form and be string escaped, as well as ensuring that
> are not included directly. If the user input is going elsewhere on a page, it must be HTML entity encoded.
It is critical that this occur for all pieces of data retrieved from the database, even if it should be safe under normal circumstances. This is to ensure that XSS doesn’t occur in the future, if a bug allows manipulation of that suspected-safe data.