What is xss injection:
xss is usually injected through ingenious method instruction to a specific page, so that a malicious user js loaded for execution (or other type) code, the attacker will obtain a series of user information, such as cookie, etc., to perform additional user information stolen take
Why would xss:
And sql injection as absolute trust user input, do not have absolute filter user input
xss injection to achieve:
In the input box into our submission <script> tag
After the submission of the results:
View page source: Sure enough, we did not make changes to the code behind the code we submitted directly interpreted as html code execution, will have the following effects
This is just a simple pop, if replaced by a cookie sent it? The user can unwittingly, to obtain the user's cookie, thus posing a user logs
xss defense:
xss defense on the need that there is little enough, that is, all characters entered by the user are escaped as html entities (<--- & lt;) display, because injection xss injection of either label or property injection, are support requires <or quotes, sql injection and defense, as this will replace all of the input value of value can be
Defense Code: convert all parameters of the user input by the user to HTML entities