PHP XSS Question / Clarification

Question

This has been asked before but I need 100% clarity on this issue as it\'s very important for me to get it right.

The situation: A message system on a website. The

Answer 1

Please check the OWASP XSS Prevention Cheat Sheet. It will explain how to avoid XSS for different contexts. Htmlentities should do the job when between tags.

Answer 2

The misconception is that you want to escape the input, which is wrong. You have to filter the output (and database is also an output).

It means that when the form is submitted, you use mysql_real_escape_string() to send (output) data to database, and you use htmlspecialchars() to output the content on the screen. The same principle applies to regular expressions, where you'd use preg_quote(), and so on.

No matter where data is coming from, you have to escape it in the context of where you are sending it to.

So for preventing XSS attacks, you must use htmlspecialchars() / htmlentities(). mysql_real_escape_string has nothing to do with XSS (but you still have to use it when you are sending data to the database).

Answer 3

Use htmlspecialchars when outputting on an HTML page. It will display the data the same way the user entered it (so users can use something like <3 in their messages without stripping the rest of it)