XSS：Cross-site Scripting

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

Also, it's crucial that you turn off HTTP TRACE support on all webservers. An attacker can steal cookie data via Javascript even when document.cookie is disabled or not supported on the client. This attack is mounted when a user posts a malicious script to a forum so when another user clicks the link, an asynchronous HTTP Trace call is triggered which collects the user's cookie information from the server, and then sends it over to another malicious server that collects the cookie information so the attacker can mount a session hijack attack. This is easily mitigated by removing support for HTTP TRACE on all webservers.

link：https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

解决方式：
1、后台数据过滤关键标签，Django中用mark_safe 显示相关数据
2、前端数据用管道符+safe渲染。

CSRF （Cross-site Request-Forgery）：
official site:
https://en.wikipedia.org/wiki/Cross-site_request_forgery

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf^[1]) or XSRF, is a type of malicious exploit of a websitewhere unauthorized commands are transmitted from a user that the web application trusts.^[2] There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests, for example, can all work without the user's interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

本质上是防止从别的网站向自己网站发post请求, 客户来访问网站，网站会向客户发送随机字符串，然后客户带随机字符串发送post请求
只有带随机字符串来，网站才认,一般是post请求才要求带随机字符串，其它网站第一次来不会带随机字符串。

如何防御？

首先服务器端要以某种策略生成随机字符串，作为令牌(token)，保存在 Session 里。然后在发出请求的页面，把该令牌以隐藏域一类的形式，与其他信息一并发出。在接收请求的页面，把接收到的信息中的令牌与 Session 中的令牌比较，只有一致的时候才处理请求，处理完成后清理session中的值，否则返回 HTTP 403 拒绝请求或者要求用户重新登陆验证身份