What are the best practices for avoiding xss attacks in a PHP site

php security xss
Rik Heywood picture Rik Heywood · Sep 16, 2008 · Viewed 27.2k times · Source

I have PHP configured so that magic quotes are on and register globals are off.

I do my best to always call htmlentities() for anything I am outputing that is derived from user input.

I also occasionally seach my database for common things used in xss attached such as...

<script

What else should I be doing and how can I make sure that the things I am trying to do are always done.

Answer

Michał Rudnicki picture Michał Rudnicki · Sep 16, 2008

Escaping input is not the best you can do for successful XSS prevention. Also output must be escaped. If you use Smarty template engine, you may use |escape:'htmlall' modifier to convert all sensitive characters to HTML entities (I use own |e modifier which is alias to the above).

My approach to input/output security is:

  • store user input not modified (no HTML escaping on input, only DB-aware escaping done via PDO prepared statements)
  • escape on output, depending on what output format you use (e.g. HTML and JSON need different escaping rules)

Related questions

How can I sanitize user input with PHP?

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of HTML tags?

Read More
How do you set up use HttpOnly cookies in PHP

How can I set the cookies in my PHP apps as HttpOnly cookies?

Read More
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?

Earlier today a question was asked regarding input validation strategies in web apps. The top answer, at time of writing, suggests in PHP just using htmlspecialchars and mysql_real_escape_string. My question is: Is this always enough? Is there …

Read More