How to prevent XSS with HTML/PHP?

php xss
TimTim picture TimTim · Jan 3, 2010 · Viewed 246.7k times · Source

How do I prevent XSS (cross-site scripting) using just HTML and PHP?

I've seen numerous other posts on this topic but I have not found an article that clear and concisely states how to actually prevent XSS.

Answer

Alix Axel picture Alix Axel · Jan 3, 2010

Basically you need to use the function htmlspecialchars() whenever you want to output something to the browser that came from the user input.

The correct way to use this function is something like this:

echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

Google Code University also has these very educational videos on Web Security:

Related questions

How can I sanitize user input with PHP?

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of HTML tags?

Read More
How do you set up use HttpOnly cookies in PHP

How can I set the cookies in my PHP apps as HttpOnly cookies?

Read More
XSS filtering function in PHP

Does anyone know of a good function out there for filtering generic input from forms? Zend_Filter_input seems to require prior knowledge of the contents of the input and I'm concerned that using something like HTML Purifier will have …

Read More