Surging clouds
This sentence is written by meWebzine0x03 paperIt only appears once, but it is a very important principle. Its importance can even be usedBest Practice 3Put it in paper.
Why?Do the right thing in the right place"? From the perspective of the development history of XSS defense, this point can be well reflected.
I used to draw a picture to show this process.
The first solution: filter special characters for the input, so it is not correct in the correct place.
XSS occurs in the browser of the client. If the protection is not done in this protection area, it will lead to frequent bypass and permanent cure.
Therefore, later solutions are more inclined to provide defense solutions. Another advantage of doing so is that historical data can also be protected. (For example, an XSS has been written in the database)
The same is true for injection, where attacks occur on the data layer, while magic_quotes in PHP does not defend in the correct place, so the problem cannot be solved. The PHP development team finally abandoned this solution.