XSS classification and defense measures

XSS is divided into three categories:

• Reflected XSS (non-persistent) When making a request, Appears in the URL and is submitted to the server as input. The server parses and responds. The XSS code is sent back to the browser along with the response content. Finally, the browser parses and executes the XSS code. This process is like a reflection, so it is called reflective XSS.

• Stored XSS (persistent) The only difference between stored XSS and reflected XSS is that the submitted code will be stored on the server side (database, memory, file system, etc.). There is no need to submit XSS code when requesting the target page for the first time.

• DOM Parsing is entirely a client matter.

XSS defense measures:

• Filter escape input and output

• Avoid using methods such as eval and new Function to execute strings unless you are sure that the string has nothing to do with user input

• Use the httpOnly attribute of the cookie and add the cookie field with this attribute. js cannot be read and written

• When using innerHTML and document.write, if the data is input by the user, then the object key characters need to be filtered and escaped

Recommended tutorial: Web server security

The above is the detailed content of XSS classification and defense measures. For more information, please follow other related articles on the PHP Chinese website!