How do you prevent XSS (cross-site scripting) in frontend applications?

XSS happens when untrusted input is executed as code in the browser. **Prevention:** - Escape/encode output (use framework templating safely) - Avoid dangerous APIs (`innerHTML`) or sanitize HTML - Use Content Security Policy (CSP) - Validate and sanitize on the server too **Interview tip:** mention stored vs reflected XSS and the importance of treating user input as untrusted.