XSS has nothing to do with architecture, and lies in the security awareness of programmers.

I remember whether XSS was designed to defend against input and output attacks last time. My answer is to defend against XSS attacks in two ways, but I also need to consider applications, at the same time, it is necessary to divide the risk level according to the situation of XSS. Here are three simple examples:

1. A parameter that originally only needs an integer type can be transferred to the struct type to output XSS on the page. This is a bug!

This example illustrates the security awareness of programmers. Due to laziness, input and output do not strictly control the data type. If you are a programmer, how do you modify this vulnerability, of course, both input and output are modified.

A simple logic: You can only enter numbers, but you can enter characters. You can only output numbers, but you can output characters.

As a result, the programmer has already restricted the input. One day, the programmer rushed over and said that the website was XSS. After careful consideration, it turned out to be the old data stored in the database, the program did not process the output, and it was inexplicably XSS again.

2. strictly control the input data format.

For more information, seeHttp://www.w3school.com.cn/php/php_ref_filter.asp

This is a set of good filter functions. We can educate programmers, and you will encapsulate the values in your form into a strict data format to match and store them in the database. XSS will be eliminated from input. For example, in your form, you only need to enter strings in the email format. When can you enter metacharacters like <>.

3. The appearance of an XSS in different places of the website application represents different risk levels.

For example, there is no identity authentication in the XSS vulnerability. Can hackers steal your cookies and forge sessions? Is the XSS vulnerability important to services? Programmers are very disdainful about the reported XSS vulnerabilities. You just need to count them one by one and dig them one by one. We are very miserable. Of course, XSS cannot be identified directly based on the importance of WebSite Services, but at least we can rank a priority.

The last thing I want to talk about is that the three examples I have mentioned indicate that the programmer's security awareness is very important. Let's say that you are a cool guy, and you can have a fist to embroider your legs, in the eyes of programmers, XSS vulnerabilities are only input and output. My statement is just for one. You are welcome to discuss it.