On the 16th of January, 2000, the following names were suggested and bounced around among a small group of Microsoft security engineers:
Unauthorized Site ScriptingUnofficial Site ScriptingURL Parameter Script InsertionCross Site ScriptingSynthesized ScriptingFraudulent Scripting
The next day there was consensus – Cross Site Scripting. In retrospect, I think this was a good choice given the options on the table.
By early February there was a coordinated advisory release with CERT: http://www.cert.org/advisories/CA-2000-02.html
The research leading up to the disclosure dates to mid-December 1999 – exactly ten years ago.
Over the years, the definition of Cross-Site Scripting has expanded somewhat. What we once referred to as simply “Cross Site Scripting” might now be classified as the reflected / non-persistent form of the attack.
Let's hope that ten years from now we'll be celebrating the death, not the birth, of Cross-Site Scripting!