Reflection type: url parameters directly injected scripts. Users can see
Storage type: stored in the database, when other users access, will be read out and displayed on the user's page. The user can not see. For example: adding comments script, sent directly to the database, user access, direct band out.
HTML content nodes: node content, dynamically generated, entered by the user
<div>
#{content}
</div>
<div>
<script>alert(1)</script>
</div>
HTML attributes: input attributes generated by a user
js code: background contains the state of the user, data is retrieved from the background
Rich Text: Comments submitted HTML content
Defense XSS attacks
Browser comes with defense, the set closes the browser to turn off the defense mechanism 0 // 1 // defaults to open the browser will notify the defense 1url // url
Browser limited defense, defensive, there html content or property will be built intercept browser
To be continued .......