1   2 
     
        3 
        4 
        5 
     
  6 
     你输入的字符为
$xss";     11 }12 ?> 13 

If you the form's action is null, it will refresh the current page,request the current php.

Key:

 
     
 
       
       
     
 
你输入的字符为
 

==================================================

 
     
 
       
       
     
 
     你输入的字符为$xss";}?> 

Key:

>

The main point of xss is to take advantage of server's echo.

The main point of knowledge is to realize that html is generated by server,it's just strings !

The power of xss is the power of javascript.The more privilege we give to js,the more dangerous xss is.

How to prevent xss?

echo "".htmlspecialchars("你输入的字符为$xss")."";