XSS is a social engineering trick... so you put some HTML code in a form, and you get this HTML code as feedback... for examole: a form asks "what's your name" and you write "blabla" then you get "hello blabla" so if you write something containing javascript codes, you will get html code with your injected javascript... but you may think from the tutorials that you can steal any cookie of any user you want when doing such an injection... it's not!!! because you could change your html code as well, so the same effect must happen... but you prepare an injected page, then you send the url to your victim, and he opens it, then the injected code is executed, that the XSS... And it is called XSS because there's already a CSS, which stands for Cascade Style Sheet to edit webpage styles.