PHP vulnerability solution (IV)-xss cross-site scripting

This article mainly introduces xss attacks against PHP websites. XSS attacks include malicious code on the webpage. when a visitor browses the webpage, the malicious code is executed or the administrator is tempted to browse the webpage by sending a message to the administrator to gain administrator privileges, control the entire website. Attackers can use cross-site request forgery to easily force users' browsers to send unintentional HTTP requests, such as fraudulent wire transfers, password changes, and illegal content downloads.

XSS (Cross Site Scripting) stands for Cross-Site Scripting attacks. to be different from Cascading Style Sheet (css ),

Cross-site scripting is mainly used by attackers to read cookies or other personal data of website users. Once attackers obtain the data, they can pretend to be the user to log on to the website, obtain the permissions of this user.

Common steps for cross-site scripting attacks:

1. the attacker sends an http link of xss to the target user in some way.

2. the target user logs on to the website and opens the xss link sent by the attacker during the login.

3. The website executes the xss attack script.

4. the target user page jumps to the attacker's website. The attacker obtains the target user information.

5. attackers use the information of the target user to log on to the website and complete the attack.

When a program with a cross-site vulnerability occurs, attackers can construct a http://www.sectop.com/search.php like this? Key = "method =" POST ">

The XSS script is inserted.

The defense method is to use htmlspecialchars to filter the output variables, or to submit them to the form of the file.

This prevents the $ _ SERVER ["PHP_SELF"] variable from being cross-site