script href javascript alert window window.open document document.cookie var onload onerror onclick onkeydown onkey onchange onhover
// 让 JS 无法读取该 cookie cookie.setHttpOnly(true); // 防止 XSS攻击
xss攻击入门: http://www.cnblogs.com/bangerlee/archive/2013/04/06/3002142.html
浅谈CSRF攻击方式: https://www.cnblogs.com/hyddd/archive/2009/04/09/1432744.html