Web application security is a key component of any web-based application.
Due to security flaws in web browsers, XSS was first known as cross-site. If you had the windows for both sites active in your browser, you could use XSS to move information/data from one site to the other.
In this post, I will walk you through the details about the XSS and how you can prevent XSS attacks on your PHP web app.
Cross-Site Scripting (XSS)
What is XSS?
It is the unintended execution of remote code by a web client. An attacker can use XSS to send a malicious script to an unsuspecting user.
Any web application might expose itself to XSS if it takes input from a user and outputs it directly on a web page.
How do XSS Occur
XSS is typically added using a web form or hyperlink on a webpage. Any client-side language, including JavaScript, PHP, HTML, and VBScript, can use this code.
Data inputs coming from a client should never be trusted. GET, POST, and COOKIE values can be anything at all, and should therefore be validated before outputting them.
PHP provides a few ways to do this.
1️⃣HTML Encoding:
PHP htmlspecialchars function will convert any HTML special characters into their HTML encodings, meaning they will then not be processed as standard HTML
SYNTHAX
<?php
// GET
$input = htmlspecialchars($_GET['input']);
// POST
$input = htmlspecialchars($_POST['input'])
?>
2️⃣URL Encoding:
When outputting a dynamically generated URL, PHP provides the urlencode function to safely output validated or sanitized URLs.
SYNTHAX
<?php
$input = urlencode($_GET['input']);
?>
Any malicious input will be converted to an encoded URL parameter.
3️⃣THIRD PARTY PHP LIBRARIES:
There are several third party PHP libraries which are commonly used to assist in XSS prevention.
Examples👇
HTML Purifier – here
PHP Anti-XSS – here
htmLawed – here
🗝Using PHP Filter Functions.
This function Sanitizes or Validates data sent to the PHP script in many ways.
Note✍
The PHP STRIP_TAGS() should NOT be used exclusively for sanitizing data. strip_tags() removes content between HTML tags and cannot prevent XSS instances that exist within HTML entity attributes. strip_tags() also does not filter or encode non-paired closing angle brackets.
Conclusion
Cross-Site Scripting is a versatile attack. It could be used to steal highly sensitive data, including user credentials, cookies, and data that has economic value.
What other ways can we prevent XSS. Kindly Share your ideas in the comments below👇
Top comments (8)
Careful with uploaded files too. For example, you could craft a javascript file starting with "GIF89", and pass to an upload script as an image, but then serve it as a script, gaining xss permissions.
Similarly, php sessions have a fallback url rewrite functionality for when cookies are disabled. User A grabs a rewritten url and passes it to User B eg by forum post. User B inherits that session and any action they perform on the site is shared with User A. Eg login. (May be a thing of the past, but a programmer could re-enable thinking its a good thing)
That's a good addition.
thank you for sharing✨😊
I believe it is recommended to use filter_var nowadays. Apart from XSS type of filtering it's also great to check for example an emailaddress, instead of using a regex. See all types of filters.
I do agree, also using filter_input() and filter_input_array() should be preferred to using superglobals.
Thanks for the input
That's imperative to do.
Thanks for adding👏
Hi, here is a maintained version of an AntiXSS library for PHP: github.com/voku/anti-xss
Hello Julia
Thank you for reaching out.
I will contact you asap