What are the best practices for avoiding xss attacks in a PHP site

Question

I have PHP configured so that magic quotes are on and register globals are off.

I do my best to always call htmlentities() for anything I am outputing that is derive

Answer 1

Personally, I would disable magic_quotes. In PHP5+ it is disabled by default and it is better to code as if it is not there at all as it does not escape everything and it will be removed from PHP6.

Next, depending on what type of user data you are filtering will dictate what to do next e.g. if it is just text e.g. a name, then strip_tags(trim(stripslashes())); it or to check for ranges use regular expressions.

If you expect a certain range of values, create an array of the valid values and only allow those values through (in_array($userData, array(...))).

If you are checking numbers use is_numeric to enforce whole numbers or cast to a specific type, that should prevent people trying to send strings in stead.

If you have PHP5.2+ then consider looking at filter() and making use of that extension which can filter various data types including email addresses. Documentation is not particularly good, but is improving.

If you have to handle HTML then you should consider something like PHP Input Filter or HTML Purifier. HTML Purifier will also validate HTML for conformance. I am not sure if Input Filter is still being developed. Both will allow you to define a set of tags that can be used and what attributes are allowed.

Whatever you decide upon, always remember, never ever trust anything coming into your PHP script from a user (including yourself!).

Answer 2

You should at least validate all data going into the database. And try to validate all data leaving the database too.

mysql_real_escape_string is good to prevent SQL injection, but XSS is trickier. You should preg_match, stip_tags, or htmlentities where possible!

Answer 3

If you are concerned about XSS attacks, encoding your output strings to HTML is the solution. If you remember to encode every single output character to HTML format, there is no way to execute a successful XSS attack.

Read more: Sanitizing user data: How and where to do it

Answer 4

I find the best way is using a class that allows you to bind your code so you never have to worry about manually escaping your data.

Answer 5

rikh Writes:

I do my best to always call htmlentities() for anything I am outputing that is derived from user input.

See Joel's essay on Making Code Look Wrong for help with this

Answer 6

The best current method for preventing XSS in a PHP application is HTML Purifier (http://htmlpurifier.org/). One minor drawback to it is that it's a rather large library and is best used with an op code cache like APC. You would use this in any place where untrusted content is being outputted to the screen. It is much more thorough that htmlentities, htmlspecialchars, filter_input, filter_var, strip_tags, etc.