CSRF: Cross-site request forgery.
Attack principle: A user logged on to a trusted site A, after authentication a will be issued a cookie, at this time the user opened another dangerous site b,b to entice the user to click on the connection (the link will access A's interface), because this time will carry a cookie, site A that the request is legitimate, The request was executed.
Precautionary measures:
1. Add token to the interface
2.refer authentication, verifying the source address of the HTTP request
Reference https://www.ibm.com/developerworks/cn/web/1102_niugang_csrf/
XSS: Cross-domain scripting attacks
Attack principle: Inject script into page, execute attack in script
Precautionary measures:
1. Encoding: HTML entity encoding for user-entered data
2. Filtering: Filtering of potentially dangerous elements in user input, such as style, script iframe
About Web security--csrf and XSS