1.XSS 攻击和防范之存储
<html>
<body>
<script>
var cookie = document.cookie;
window.location.href = 'index.php?cookie=' + cookie;
</script>
</body>
</html>
如果您在cookie中设置了HttpOnly属性,那么通过js脚本将无法读取到cookie信息,这样能有效的防止XSS攻击,具体一点的介绍请google进行搜索
http://desert3.iteye.com/blog/869080
2.XSS 攻击和防范之反射
浏览器过滤
public function actionIndex()
{
// 阻止浏览器过滤
\Yii::$app->response->headers->add('X-XSS-Protection', '0');
echo \Yii::$app->request->get('name');
// return $this->render('index');
}
http://www.2cto.com/article/201506/406232.html
https://zhidao.baidu.com/question/937771708741169372.html
http://wangye.org/blog/archives/596/
<html>
<body>
<script>
var a = "123 --- <?php echo $_GET['key']?>";
</script>
</body>
</html>
浏览器对 xss 防范有限
2.XSS 攻击和防范之蠕虫(worm)
yii 防范 XSS 的 2种方法 :
public function actionTest()
{
\Yii::$app->response->headers->add('X-XSS-Protection', '0');
$script = \Yii::$app->request->get('script');
var_dump($script);
// html 实体编码
echo \yii\helpers\Html::encode($script);die; // 1. 实体编码
echo \yii\helpers\HTMLPurifier::process($script);die; // 2. lexer 技术,浏览器用 lexer识别 js,php也用这个
}