Why is Cross-site scripting called Cross-site scripting? The term implies to me (a non-native English speaker) that there is some other web site involved that attacks your web site, but most of the time this is not the case, is it? (Hell, it doesn't always even include scripting (feeding JavaScript to the user) either. A faked HTML interface is often a viable execution strategy too.)
As I understand it, that which we call XSS is caused by an insufficient escaping of user input and primarily happens in web applications, as shown in this question. For example, the following piece of code is vulnerable:
<?php
echo $_GET['q'];
?>
But the following fixes it[1]:
<?php
echo htmlspecialchars($_GET['q']);
?>
The user input can be stored in the database too, and the same thing happens if the input is not escaped when it is brought back for display. And in fact, this seems to be the method of attack that is the most beneficial for the attacker (affects the most users) and thus the most used.
I feel that the nebulousness of the term leads to hack jobs such as removing offending characters or strings from user input and other confusion (apparently allowing valid JavaScript in the database is wrong) when inexperienced people are trying to patch for it.
Instead of the abstruse term XSS, wouldn't something like lack of escaping work just as well, and be much clearer? Or is there something more that the term XSS encompasses?
[1]: Assuming we are in the middle of a HTML page, of course.