XSS attack

 1 <html> 
 2 <form action="" method="post"> 
 3 <input type="text" name="xss_input"> 
 4 <input type="submit"> 
 5 </form> 
 6 <?php 
 7 if(isset($_POST['xss_input'])){
 8     $xss = $_POST['xss_input'];  
 9     unset($_POST['xss_input']);
10     echo "<h1>你输入的字符为<br>$xss</h1>";     
11 }
12 ?> 
13 </html> 

If you the form's action is null, it will refresh the current page,request the current php.

Key:

<script>alert("haha");</script>

<html> 
<form action="" method="post"> 
<input type="text" name="xss_input"> 
<input type="submit"> 
</form> 
<h1>你输入的字符为<br><script>alert("haha");</script></h1> 
</html> 

==================================================

<html> 
<form action="" method="post"> 
<input type="text" name="xss_input"> 
<input type="submit"> 
</form> 
<?php 
if(isset($_POST['xss_input'])){
    $xss = $_POST['xss_input'];  
    echo "<textarea>你输入的字符为$xss</textarea>";
}
?> 
</html> 

Key:

</textarea><script>alert("haha");</script><textarea>>

The main point of xss is to take advantage of server's echo.

The main point of knowledge is to realize that html is generated by server,it's just strings !

The power of xss is the power of javascript.The more privilege we give to js,the more dangerous xss is.

How to prevent xss?

echo "<textarea>".htmlspecialchars("你输入的字符为$xss")."</textarea>";