How to effectively prevent XSS attacks/AJAX cross-origin attacks

1. Use the character filtering vulnerability to submit malicious js Code. When the user opens the page, execute 2. Enter the image address, css, and other places that are directly executed during page loading, enter malicious javascript [javascript: xxxx]. When you open a page containing images, You can execute javascript. For example, GET s1.game.com/fight/:id indicates sending troops to a user. Although user verification is performed, the source verification is not performed. You only need to send the address to the Forum of the same user as the image address for 3, webpage jump vulnerability, such as refer. php? Message = xxxx. If $ _ GET ['message'] is directly used on the page, an xss vulnerability occurs. You can steal user cookies by replacing the message Parameter with js Code or malicious URLs, or execute malicious js, or jump to the phishing page. 4. Use the browser or server 0-day vulnerability 1. XSS is mainly used to run the js code written by the user on your page, therefore, the data submitted by all users is filtered, And the cookie information that determines whether the user is logged on is encrypted, and the Ip information is added. In this way, the user is basically stolen and cannot obtain the logon permission 2, the update or delete operation is submitted in post mode. Each form is added with a unique verification string and submitted in hiden mode. This is used for the server to verify whether the request comes from the user client 3, the jump program must match and judge the transmitted url. Only the specific format 4 is allowed, and security messages are often concerned. Once a vulnerability exists, many frameworks do not immediately provide XSS filtering, the following xss_clean in this class is the CI filter function can be seen here there are a variety of strange xss way https://bitbucket.org/mrxx/mrxx-php-lib/src/00bcdc20b9b9/security/Security.php
Http://ha.ckers.org/xss.html