XSS (Cross-Site Scripting) là gì? Các loại XSS và cách phòng chống?

XSS inject malicious scripts vào browser victim — React JSX tự động escape (dangerouslySetInnerHTML vẫn nguy hiểm); dùng DOMPurify cho user HTML, HttpOnly cookies, và Content Security Policy.

• XSS (Cross-Site Scripting) cho phép attacker inject và execute malicious scripts trong browser của victim, đánh cắp sessions, redirect users, modify page content.
• Ba loại: Stored XSS — script được lưu trong DB (comment, profile), mỗi user xem page bị attack; Reflected XSS — script trong URL parameter, server reflect lại trong response (phishing links); DOM-based XSS — client-side code đọc từ URL/storage và inject vào DOM mà không qua server (document.location, window.location.hash → innerHTML).
• Phòng chống: Context-appropriate encoding — HTML encode khi insert vào HTML, JS encode khi insert vào JavaScript, URL encode khi insert vào URL; React JSX tự động escape — dangerouslySetInnerHTML vẫn nguy hiểm.
• Không dùng innerHTML với user content — dùng textContent hoặc createElement.
• DOMPurify: sanitize HTML khi cần render user-provided HTML (rich text editor output) — DOMPurify.sanitize(userHtml).
• Content Security Policy: block inline scripts và unauthorized external scripts — defense in depth.
• HttpOnly cookies: JavaScript không thể đọc session cookie dù có XSS.
• Subresource Integrity (SRI): verify CDN scripts không bị tamper — integrity attribute trên <script>.
• Template literals và DOM APIs: const div = document.createElement('div'); div.textContent = userInput — safe; div.innerHTML = userInput — unsafe.

XSS injects malicious scripts into a victim's browser — React JSX auto-escapes (dangerouslySetInnerHTML is still dangerous); use DOMPurify for user HTML, HttpOnly cookies, and Content Security Policy.

• XSS (Cross-Site Scripting) allows an attacker to inject and execute malicious scripts in a victim's browser, stealing sessions, redirecting users, and modifying page content.
• Three types: Stored XSS — script is saved in the database (comment, profile) and attacks every user who views the page; Reflected XSS — script is in a URL parameter and the server reflects it back in the response (phishing links); DOM-based XSS — client-side code reads from the URL/storage and injects into the DOM without going through the server (document.location, window.location.hash → innerHTML).
• Prevention: Context-appropriate encoding — HTML-encode when inserting into HTML, JS-encode when inserting into JavaScript, URL-encode when inserting into a URL; React JSX auto-escapes — dangerouslySetInnerHTML is still dangerous.
• Do not use innerHTML with user content — use textContent or createElement.
• DOMPurify: sanitize HTML when you need to render user-provided HTML (rich text editor output) — DOMPurify.sanitize(userHtml).
• Content Security Policy: block inline scripts and unauthorized external scripts — defense in depth.
• HttpOnly cookies: JavaScript cannot read the session cookie even if XSS occurs.
• Subresource Integrity (SRI): verify CDN scripts have not been tampered with — integrity attribute on <script>.
• Template literals and DOM APIs: const div = document.createElement('div'); div.textContent = userInput — safe; div.innerHTML = userInput — unsafe.