This occurs when an attacker takes advantage of a website that allows its users to post unfiltered HTML and JavaScript content.
By posting malicious HTML and JavaScript code, the attacker can cause the victim's web browser to send the victim's cookies to a website the attacker controls.