Definition
XSS (Cross-Site Scripting) is a class of vulnerability where an attacker manages to inject JavaScript into a page that is then rendered in another user's browser. Because the injected script runs inside the victim's origin, it has access to cookies, can make API calls as the victim, and can rewrite the page to phish credentials. There are three subtypes: reflected (attacker input is echoed back in a response), stored (attacker input is saved and later served to others), and DOM-based (client-side code writes attacker input into the page).
Preventing XSS means escaping attacker-controlled data at the output boundary according to context (HTML body, HTML attribute, URL, JavaScript literal). Modern templating engines do this automatically for HTML body context; other contexts still require explicit escaping.
How SheetLinkWP relates to XSS
SheetLink Forms escapes every piece of user-submitted data before rendering it in the WordPress admin: esc_html for page body, esc_attr for HTML attributes, esc_url for URLs, esc_js for JavaScript string literals. The admin UI never renders raw form-submission content without escaping, and the JSON payload sent to Apps Script is generated with wp_json_encode, which is safe against both XSS and JSON injection. On the Sheets side, Apps Script writes values with setValue, which treats the content as text.