This is the most common type of XSS and the easiest for a malicious attacker to pull off. The attacker uses social engineering techniques to get a user to click on a link to your site. The link has malicious code embedded in it. Your site then redisplays the attack, and the user’s browser parses it as if it were from a trusted site. This method can be used to deliver a virus or malformed cookie (used to hijack sessions later) or grab data from the user’s system. One famous example of this was found in Google’s search results. The malicious code would be tacked onto the end of a search link. When the user clicked on the link, the code would get displayed as part of the search string. The user’s browser would parse this and compromise his or her system.
Defend against this as you would any variable injection attack. Before you display any user-generated data, validate the input. Do not trust anything that the user’s browser sends you.