PHP: How to completely prevent XSS attacks?

Question

PHP: How to completely prevent XSS attacks?

How can I completely prevent xss attacks in PHP? This assumes that I do not need any HTML tags or other formatting. Is it enough to just run strip_tags and be completely safe?

+2

javascript php xss

howdoi May 09 '11 at 7:54

source share

2 answers

Pekka 웃 · Answer 1 · 2011-05-09T07:56:19+0000

Both htmlspecialchars() and strip_tags() are considered safe for clearing user input for output on an HTML page.

on this topic:

Is strip_tags () vulnerable to attack scripts?

Gordonm · Answer 2 · 2011-05-09T08:32:51+0000

The easiest way is to simply prevent users from entering HTML tags. If you strip_tags () or htmlspecialchars () are all user input, then there is no way to enter the <script> .

If you want to allow limited markup, then you can use syntax like bbcode (finding the PHP library should not be difficult for this, although I have never done it myself, so I have no recommendations for this front), or you can use HTMLpurifier to limit markup that users can enter.

PHP: How to completely prevent XSS attacks?

More articles: