# Something about XSS(Cross-site scripting) If not set anything
Use like
<?php echo $_GET['name'];?> and querystring name = <script>alert(document.cookie)</script>
And not defence XSS
In Firefox
In Chrome
In Safari
## Result Chrome & Safari browser has handle XSS default
## Defence Set header X-XSS-Protection: 1
if use PHP, can use
htmlspecialchars() // or htmlentities() ## Important! Finally
We must know it is handle encode to avoid run JavaScript on page
...