Something about XSS(Cross-site scripting)
Table of Contents
#
Something about XSS(Cross-site scripting)
If not set anything
Use like
<?php echo $_GET['name'];?>
and querystring name = <script>alert(document.cookie)</script>
And not defence XSS
In Firefox
In Chrome
In Safari
##
Result
Chrome & Safari browser has handle XSS default
##
Defence
Set header X-XSS-Protection: 1
if use PHP, can use
htmlspecialchars()
// or
htmlentities()
##
Important!
Finally
We must know it is handle encode to avoid run JavaScript on page