diff --git a/source/_posts/What-is-cross-site-scripting-How-to-prevent-it.md b/source/_posts/What-is-cross-site-scripting-How-to-prevent-it.md
index ca57316..a91eb5e 100644
--- a/source/_posts/What-is-cross-site-scripting-How-to-prevent-it.md
+++ b/source/_posts/What-is-cross-site-scripting-How-to-prevent-it.md
@@ -285,7 +285,7 @@ If Content Security Policy allows inline scripts (as it is by default), then bro
 
 ## Cross-site scripting vulnerability prevention
 
-You can prevent cross-site scripting vulnerabilities by escaping HTML tags. In PHP, you can use [`htmlentities()`](https://www.php.net/manual/en/function.htmlentities.php) or [`htmlspecialchars()`](https://www.php.net/manual/en/function.htmlspecialchars.php) function. There is the example code without the XSS vulnerability:
+You can prevent cross-site scripting vulnerabilities by escaping HTML tags. In PHP, you can use [`htmlentities()`](https://www.php.net/manual/en/function.htmlentities.php) or [`htmlspecialchars()`](https://www.php.net/manual/en/function.htmlspecialchars.php) function. There is the example code without the XSS vulnerability (although it is still vulnerable to CSRF):
 ```php
 <?php
 // Don't throw errors by default
@@ -373,7 +373,7 @@ function antiXSS(string) {
 }
 ```
 
-This is example code without the vulnerability:
+This is example code without the DOM XSS vulnerability:
 ```html
 <!DOCTYPE html>
 <html lang="en">