是的，有一个名为内容安全策略，允许您控制JavaScript的来源，这可能使XSS无法实现。但目前只有Chrome和Firefox支持。

Yes, there is an experimental HTTP header called the Content Security Policy that allows you to control where JavaScript comes from, which can make XSS impossible. However it is currently only supported by Chrome and Firefox.

启用HttpOnly-cookies是一个好主意，但这样可以防止 ZERO 攻击。您仍然可以通过阅读CSRF令牌，并使用XHR执行请求来利用XSS。

It is a good idea to enable HttpOnly-cookies, however this will prevent exactly ZERO attacks. You can still exploit XSS by reading CSRF tokens, and carrying out requests with an XHR.

有许多方法可以获得XSS，还有一个漏洞扫描程序，如 ShieldSeal 将（几乎）找到所有这些。 Skipfish 是一个非常原始的开源漏洞扫描程序，但它是免费的。这就是大多数Web应用程序处理广泛漏洞的方法。 （我为SheildSeal工作，我帮助建立他们的漏洞扫描程序，我喜欢我的工作。）

There are many ways of obtaining XSS, and a Vulnerability Scanner like ShieldSeal will find (nearly) all of them. Skipfish is an open source vulnerability scanner that is very primitive, but its free. This is how most web applications deal with wide spread vulnerabilities. (I work for SheildSeal and I help build their vulnerability scanner and I love my job.)

当发现问题时，你应该使用 htmlspecialchars（ $ var）或 htmlspecialchars（$ var，ENT_QUOTES）来清理输入。 ENT_QUOTES可以防止攻击者引入onclick或其他JavaScript事件。

When an issue is found you should use htmlspecialchars($var) or htmlspecialchars($var,ENT_QUOTES) to sanitize input. ENT_QUOTES can prevent an attacker from introducing an onclick or other JavaScript event.