The non-persistent XSS
The non-persistent XSS results from the use of datas provided by the user in any script, without modifying them. Typically, an online simulation or a statistics page. Thus, if these datas are not changed, you can add the script to the script that will be executed itself. This is the simplest attack. It is not saved in a file or in a database: it is ephemeral.
By modifying the datas to be processed, the result of XSS will only change the page that the user can display. This may seem mild, but it is much less so when the attacker uses the Social Engineering pages and broadcasts trapped in this way. This kind of vulnerabilities are often used to launch spam campaigns to tarnish the image of a site (redirects, appearance modifications) or steal informations.
The persistent XSS
The persistent XSS allows holdings further. It is this flaw in the forums, registration forms and guestbooks. Data entries are stored in databases and are returned when a user requests them. This vulnerability may allow client side or server side executions and can enable any kind of exploitation, recovery of cookies to the execution of malicious scripts. The principle is that the malicious script is saved in the datas of the site. It will be displayed each time you open the site and may be visible to all users. More dangerous, this vulnerability allows an attacker to retrieve users datas in cookies of many sites, for example.
The most suitable solution against this flaw is to use htmlspecialchars and trust our php development company !