At what layer does a cross site scripting attack occur on?

Cross-site scripting is an application-layer vulnerability. It happens when a web application processes user-supplied input and includes it in the HTML it sends to a browser without proper validation or escaping. The malicious script is then executed in the victim’s browser, which means the issue stems from how the application handles data and renders output, i.e., at the application layer (layer 7). It’s not a problem of the data-link layer (network frames) or the session layer, and while how content is presented can involve the presentation aspect, the vulnerability originates in the application’s logic and output generation. To fix it, focus on validating and escaping input, using safe templates, and enforcing a strong content security policy.