There is another way attackers can use XSS to inject malicious JavaScript, called a reflected XSS attack.