What are the best practices for avoiding xss attacks in a PHP site [closed]

by

Escaping input is not the best you can do for successful XSS prevention. Also output must be escaped. If you use Smarty template engine, you may use |escape:'htmlall' modifier to convert all sensitive characters to HTML entities (I use own |e modifier which is alias to the above).

My approach to input/output security is:

  • store user input not modified (no HTML escaping on input, only DB-aware escaping done via PDO prepared statements)
  • escape on output, depending on what output format you use (e.g. HTML and JSON need different escaping rules)

More Related Contents:

  1. xss attack on a php page
  2. How can I sanitize user input with PHP?
  3. The ultimate clean/secure function
  4. Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
  5. Best way to defend against mysql injection and cross site scripting
  6. CodeIgniter – why use xss_clean
  7. How do you set up use HttpOnly cookies in PHP
  8. How Secure Is This Login System? (Using Cookies In PHP)
  9. How to prevent XSS with HTML/PHP?
  10. Simplest two-way encryption using PHP
  11. PHP_SELF and XSS
  12. Full Secure Image Upload Script
  13. What does it mean to escape a string?
  14. PHP $_SERVER[‘HTTP_HOST’] vs. $_SERVER[‘SERVER_NAME’], am I understanding the man pages correctly?
  15. PHP MySQLI Prevent SQL Injection [duplicate]
  16. How to fake $_SERVER[‘REMOTE_ADDR’] variable?
  17. Are mysql_real_escape_string() and mysql_escape_string() sufficient for app security?
  18. Login without HTTPS, how to secure?
  19. Is it safe to trust $_SERVER[‘REMOTE_ADDR’]?
  20. how safe are PDO prepared statements
  21. How to get rid of eval-base64_decode like PHP virus files?
  22. How can I relax PHP’s open_basedir restriction?
  23. How to run PHP exec() as root?
  24. Hiding true database object ID in url’s
  25. How to enable DDoS protection?
  26. Why should I use $_GET and $_POST instead of $_REQUEST? [duplicate]
  27. Codeigniter CSRF – how does it work
  28. How to protect my source code when deployed?
  29. Improve password hashing with a random salt
  30. Why is it considered bad practice to use “global” reference inside functions? [duplicate]

Leave a Comment