Protection against XSS exploits?

Question

I\'m newish to PHP but I hear XSS exploits are bad. I know what they are, but how do I protect my sites?

Answer 1

strip_tags() if you want to have no tags at all. Meaning anything like <somthinghere>
htmlspecialchars() would covert them to html so the browser will only show and not try to run.
If you want to allow good html i would use something like htmLawed or htmlpurifier

Answer 2

The bad news

Unfortunately, preventing XSS in PHP is a non-trivial undertaking.

Unlike SQL injection, which you can mitigate with prepared statements and carefully selected white-lists, there is no provably secure way to separate the information you are trying to pass to your HTML document from the rest of the document structure.

The good news

However, you can mitigate known attack vectors by being particularly cautious with your escaping (and keeping your software up-to-date).

The most important rule to keep in mind: Always escape on output, never on input. You can safely cache your escaped output if you're concerned about performance, but always store and operate on the unescaped data.

XSS Mitigation Strategies

In order of preference:

1. If you are using a templating engine (e.g. Twig, Smarty, Blade), check that it offers context-sensitive escaping. I know from experience that Twig does. {{ var|e('html_attr') }}
2. If you want to allow HTML, use HTML Purifier. Even if you think you only accept Markdown or ReStructuredText, you still want to purify the HTML these markup languages output.
3. Otherwise, use htmlentities($var, ENT_QUOTES | ENT_HTML5, $charset) and make sure the rest of your document uses the same character set as $charset. In most cases, 'UTF-8' is the desired character set.

Why shouldn't I filter on input?

Attempting to filter XSS on input is premature optimization, which can lead to unexpected vulnerabilities in other places.

For example, a recent WordPress XSS vulnerability employed MySQL column truncation to break their escaping strategy and allow the prematurely escaped payload to be stored unsafely. Don't repeat their mistake.

Answer 3

To prevent from XSS attacks, you just have to check and validate properly all user inputted data that you plan on using and dont allow html or javascript code to be inserted from that form. Or you can you Use htmlspecialchars() to convert HTML characters into HTML entities. So characters like <> that mark the beginning/end of a tag are turned into html entities and you can use strip_tags() to only allow some tags as the function does not strip out harmful attributes like the onclick or onload.

Answer 4

Escape all user data (data in the database from user) with htmlentities() function.

For HTML data (for example from WYSIWYG editors), use HTML Purifier to clean the data before saving it to the database.