DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»

Bentil Shadrack
Bentil Shadrack

Posted on • Updated on

Cross-site Scripting (XSS) and ways to prevent it in PHP applications

Web application security is a key component of any web-based application.
Due to security flaws in web browsers, XSS was first known as cross-site. If you had the windows for both sites active in your browser, you could use XSS to move information/data from one site to the other.
In this post, I will walk you through the details about the XSS and how you can prevent XSS attacks on your PHP web app.

Cross-Site Scripting (XSS)

What is XSS?
It is the unintended execution of remote code by a web client. An attacker can use XSS to send a malicious script to an unsuspecting user.
Any web application might expose itself to XSS if it takes input from a user and outputs it directly on a web page.

How do XSS Occur
XSS is typically added using a web form or hyperlink on a webpage. Any client-side language, including JavaScript, PHP, HTML, and VBScript, can use this code.

Data inputs coming from a client should never be trusted. GET, POST, and COOKIE values can be anything at all, and should therefore be validated before outputting them.
PHP provides a few ways to do this.

1️⃣HTML Encoding:

PHP htmlspecialchars function will convert any HTML special characters into their HTML encodings, meaning they will then not be processed as standard HTML
SYNTHAX

<?php
 // GET
 $input = htmlspecialchars($_GET['input']);
 // POST
 $input = htmlspecialchars($_POST['input'])
?>
Enter fullscreen mode Exit fullscreen mode

2️⃣URL Encoding:

When outputting a dynamically generated URL, PHP provides the urlencode function to safely output validated or sanitized URLs.
SYNTHAX

<?php
 $input = urlencode($_GET['input']);
?>
Enter fullscreen mode Exit fullscreen mode

Any malicious input will be converted to an encoded URL parameter.

3️⃣THIRD PARTY PHP LIBRARIES:

There are several third party PHP libraries which are commonly used to assist in XSS prevention.
ExamplesπŸ‘‡
HTML Purifier – here
PHP Anti-XSS – here
htmLawed – here

πŸ—Using PHP Filter Functions.

This function Sanitizes or Validates data sent to the PHP script in many ways.

Note✍

The PHP STRIP_TAGS() should NOT be used exclusively for sanitizing data. strip_tags() removes content between HTML tags and cannot prevent XSS instances that exist within HTML entity attributes. strip_tags() also does not filter or encode non-paired closing angle brackets.

Conclusion

Cross-Site Scripting is a versatile attack. It could be used to steal highly sensitive data, including user credentials, cookies, and data that has economic value.

What other ways can we prevent XSS. Kindly Share your ideas in the comments belowπŸ‘‡

You can support me to keep writing more for youπŸš€β€

buy me a coffee

Top comments (7)

Collapse
paul_dudink profile image
Paul Dudink

I believe it is recommended to use filter_var nowadays. Apart from XSS type of filtering it's also great to check for example an emailaddress, instead of using a regex. See all types of filters.

Collapse
giulio profile image
Giulio

I do agree, also using filter_input() and filter_input_array() should be preferred to using superglobals.

<?php
$customerEmail = filter_input( INPUT_GET, 'user_email', FILTER_SANITIZE_EMAIL );
Enter fullscreen mode Exit fullscreen mode
Collapse
qbentil profile image
Bentil Shadrack Author

Thanks for the input

Collapse
qbentil profile image
Bentil Shadrack Author

That's imperative to do.
Thanks for addingπŸ‘

Collapse
bigdan256 profile image
BigDan256

Careful with uploaded files too. For example, you could craft a javascript file starting with "GIF89", and pass to an upload script as an image, but then serve it as a script, gaining xss permissions.
Similarly, php sessions have a fallback url rewrite functionality for when cookies are disabled. User A grabs a rewritten url and passes it to User B eg by forum post. User B inherits that session and any action they perform on the site is shared with User A. Eg login. (May be a thing of the past, but a programmer could re-enable thinking its a good thing)

Collapse
qbentil profile image
Bentil Shadrack Author

That's a good addition.
thank you for sharing✨😊

Collapse
suckup_de profile image
Lars Moelleken

Hi, here is a maintained version of an AntiXSS library for PHP: github.com/voku/anti-xss

Find what you were looking for? Sign up so you can:

Β 
🌚 Enable dark mode
πŸ”  Change your default font
πŸ“š Adjust your experience level to see more relevant content