Preface:
1.XSS Profile
XSS (cross site script) referred to as XSS, is a frequent computer security vulnerabilities in web applications, web is the most mainstream of attack.
XSS refers exploited by malicious people to submit data on the site is not user escaping or filtering the shortcoming, and then add some code embedded in web pages in order to enable other users to access the appropriate embedded code will be executed.
1.1.XSS attacks harm
1, steal user information, such as: login account, online banking accounts, etc.
2, using the user's identity, reading, tampering, add, delete sensitive corporate data
3, theft of important company information with commercial value
4, the illegal transfer
5, forced to send e-mail
6, the site linked to horse
7, control the victim machine to attack other sites
1.2 Preventing XSS solutions to
the root causes of major XSS is not completely filter the data submitted by the client, so the focus is to filter the information submitted by the user.
The important cookie is marked as http only, so js in document.cookie statement can not get to the cookie.
Only allows users to enter our desired data. For example: age Age only allows the user to enter numbers and characters other than numbers are filtered out.
Html Encode data processing: when the user submits data up HTML encodes the symbols into corresponding entity name then the next step process.
Html filtration or removal of a particular label, for example:
Reproduced in: https: //juejin.im/post/5cf5ea68f265da1bc14b14ed