XSS attacks usually refers to the use of the time left to develop vulnerability to inject malicious code into the pages of instructions by ingenious methods to control the user's browser an attack.
XSS attacks generally divided into two categories, the first category is reflective XSS, i.e. simply reflecting the user's input to the browser. The second type is the type of storage XSS, the user's input stored in the server, and persistent.
We see an example below:
<?php
$v=$_GET["parm"]
echo "<div>".$v."</div>"
?>
正常情况下,请求链接为:http://a.com/test.php?parm=123 会输出:<div>123</div>
如果请求的链接为:http://a.com/test.php?parm=<script>alert("ceshi")</script>时,则会输出<div><script>alert("ceshi")</script></div>
如果仅仅是使用了参数,并没有存储,则攻击只是简单的输入输出,如果我们将参数保存,则该问题会持久存在。As can be seen from the above example, the attacker through a special construction codes, cheat server or browser to execute, if the destruction of the attacker crafted special code, the attack would be gone. Such as the example above, if we will get to the parameters urlencode, the "<" will be escaped, this time script tab ceased to exist, the code page can not be executed.
General XSS attack is mainly present in the dynamic server executes the statement (usually interpreted languages) and front-end, in order to prevent XSS attacks, the basic principle is that all inputs are all non-resistance, all inputs must be to conduct safety inspections for all the outputs are related to html coding, the output of the special structure damage.