Javascript-Cross-Site attack, a bit blind, Solution

{Code ...} why is it unsafe? {code ...} in this way, test_form.php & quot; is safe. Tom thinks that only two & quot; are replaced by www.w3school.com. cnphpphp_form_validation.asp

 
  《script》alert('hacked')《script》
 

Why is this insecure?

After htmlspecialchars ProcessingScript alert ('hacked') script ">

This is safe.

Test_form.php "/What do you think of Tom? It's just two."/changed the location.

From http://www.w3school.com.cn/php/php_form_validation.asp

Reply content:

《script》alert('hacked')《script》

Why is this insecure?

After htmlspecialchars ProcessingScript alert ('hacked') script ">

This is safe.

Test_form.php "/What do you think of Tom? It's just two."/changed the location.

From http://www.w3school.com.cn/php/php_form_validation.asp

Forgive me for reading the error. I thought I only discussed htmlspecialchars.

To prevent xss attacks, we should first start with the format specification. For example, the name, email, and URL in your page form are all formatted. When obtaining the parameter value, you can use a regular expression or a handwritten function to verify it, saving you a lot of trouble.

For example, if the comment is not formatted or contains html characters, use htmlspecialchars to process the input or output. This function is used to convert html characters into entities, so that they are directly displayed without being parsed.

Here is an article, portal:
XSS and CSRF

For more information, see my previous blog summary.

The htmlspecialchars () function converts some predefined characters into HTML objects.

htmlspecialchars()Is to escape some sensitive characters. Avoid the use of special characters to separate the statements to be executed, produce ambiguity, or split them into two statements, or more to achieve the goal of destruction.

In short, we should never trust any data submitted by users. We must pre-process the data before it is imported or used.

Why.