This article mainly introduces the XSS cross-site scripting attack for PHP websites. Cross-site scripting attacks are through the addition of malicious code to Web pages, where malicious code is executed when a visitor browses a webpage, or by convincing an administrator to browse through a message to the administrator, thereby gaining administrator privileges to control the entire site. Using cross-site request forgery, an attacker can easily force a user's browser to make unsolicited HTTP requests, such as fraudulent wire requests, password changes, and downloading of illegal content.
XSS (Cross site Scripting), which is intended to be an XSS attack, in order to distinguish it from style sheet css (cascading style Sheet)
Cross-site scripting is primarily used by attackers to read Web site users ' cookies or other personal data, and once an attacker obtains such data, he can impersonate the user to log on to the site and gain access to the user.
General steps for cross-site scripting attacks:
1. An attacker sends an XSS HTTP link to the target user in some way
2. The target user logs on to this website, which opens an XSS link sent by the attacker during the login
3. The website executes this XSS attack script
4, the target user page jumps to the attacker's website, the attacker obtains the target user's information
5, the attacker uses the target user's information to log on the website, completes the attack
When a program with a cross-site vulnerability appears, an attacker could construct a similar http://www.sectop.com/search.php?key= "method=" POST ">
Cross-site scripting is plugged in.
The defense method also uses Htmlspecialchars to filter the output variables, or the form that is submitted to its own file
This directly avoids the $_server["php_self") variable being cross-site