When a malicious html script or client side script is provided to a web application, it is called as cross-site scripting. However, Salesforce has a special feature wherein, all standard Visual Force components, which starts with <apex> have an anti-XSS filter in place. To disable the protection on Visual force tag <apex: outputText escape="false" value="{!$CurrentPage.parameters.userInput}"/> Focus on the escape="false ", because due to this the security provided by Salesforce is bypassed and the code becomes vulnerable to an XSS attack again. In general, a code is vulnerable to an XSS attack if it takes user input and outputs it directly back to the user.
A page to guide you on your Salesforce journey. Wishing you the best.