> Whenever anything is sent to the server from the browser, we need proper validation. Input should be properly sanitized before being sent to the server.

That doesn't sound right. If the attack vector is reflected XSS, i.e. that code (HTML/JS/etc.) is taken from the attacker's input, stored in the database by the server and later injected straight into another user's page, sanitizing it "before being sent to the server" would mean relying on the attacker helpfully sanitizing their own data.

If the author is here could I make a gentle suggestion to change “infected with” to something like “potentially vulnerable to”.

“Infected” means something very specific and I think its usage in this case comes off as a bit clickbaity and detracts from the credibility of the article.

The article referenced as the source of that statistic uses more accurate wording (though doesn’t cite its own sources):

> According to various research and studies, up to 50% of websites are vulnerable to DOM Based XSS vulnerabilities.

Also, “Almost 50%” != “up to 50%”