Before we get to XSS, let’s tell a quick story.
One day Xiao Hong submitted a comment on the server: “The blogger is so handsome!” When Xiao Ming visited the page and saw Xiao Hong’s comments, he thought: “This person’s judgment is so bad, let me meet her!” At this point, Xiao Ming submitted a comment on the page:
<script>
console.log(document.cookie)
</script>
Copy the code
Then red came again, this code in the red browser directly executed, Xiao Ming smoothly got the red cookie, boarded the red account began to abuse the blogger…
This is called XSS(Cross-site Scripting), so how did it come about?
- The first is the template problem in the background:
<p> Comments: <? php echo $content; ? > </p>Copy the code
$content is not filtered. We change the < symbol to < (HTML entities) will do.
- Front-end code issues:
$p.html(content)
or
$p = $('<p>'+ content +'</p>')
At this point, the content content is output as is. The solution is to use text instead of HTML. If you must use HTML, turn suspicious symbols into HTML entities.
Article source!!