How to prevent XSS with HTML PHP

Question

How do I prevent XSS  cross-site scripting  using just HTML and PHP   I ve seen numerous other posts on this topic but I have not found an article that clear and concisely states how to actually prevent XSS

User · Answer

In order of preference    If you are using a templating engine  e g  Twig  Smarty  Blade   check that it offers context-sensitive escaping  I know from experience that Twig does     var e  html attr      If you want to allow HTML  use HTML Purifier  Even if you think you only accept Markdown or ReStructuredText  you still want to purify the HTML these markup languages output  Otherwise  use htmlentities  var  ENT QUOTES   ENT HTML5   charset  and make sure the rest of your document uses the same character set as  charset  In most cases   UTF-8  is the desired character set    Also  make sure you escape on output  not on input

User · Answer

lt  php function xss clean  data       Fix  amp entity n   data   str replace array   amp amp     amp lt     amp gt     array   amp amp amp     amp amp lt     amp amp gt      data    data   preg replace     amp    w    x00- x20    u     1     data    data   preg replace     amp  x  0-9A-F      iu     1     data    data   html entity decode  data  ENT COMPAT   UTF-8        Remove any attribute starting with  on  or xmlns  data   preg replace     lt    gt      x00- x20        on xmlns    gt     gt  iu     1 gt     data       Remove javascript  and vbscript  protocols  data   preg replace     a-z     x00- x20     x00- x20             x00- x20  j  x00- x20  a  x00- x20  v  x00- x20  a  x00- x20  s  x00- x20  c  x00- x20  r  x00- x20  i  x00- x20  p  x00- x20  t  x00- x20    iu     1  2nojavascript       data    data   preg replace     a-z     x00- x20             x00- x20  v  x00- x20  b  x00- x20  s  x00- x20  c  x00- x20  r  x00- x20  i  x00- x20  p  x00- x20  t  x00- x20    iu     1  2novbscript       data    data   preg replace     a-z     x00- x20             x00- x20  -moz-binding  x00- x20    u     1  2nomozbinding       data       Only works in IE   lt span style  width  expression alert  Ping       gt  lt  span gt   data   preg replace     lt    gt     style  x00- x20     x00- x20            expression  x00- x20       gt     gt  i     1 gt     data    data   preg replace     lt    gt     style  x00- x20     x00- x20            behaviour  x00- x20       gt     gt  i     1 gt     data    data   preg replace     lt    gt     style  x00- x20     x00- x20            s  x00- x20  c  x00- x20  r  x00- x20  i  x00- x20  p  x00- x20  t  x00- x20       gt     gt  iu     1 gt     data       Remove namespaced elements  we do not need them   data   preg replace    lt    w   w   gt     gt  i        data    do          Remove really unwanted tags      old data    data       data   preg replace    lt      applet b   ase gsound link  embed frame   set   i   frame layer  l   ayer ink  meta object s   cript tyle  title xml    gt     gt  i        data     while   old data      data       we are done    return  data

User · Answer

Cross-posting this as a consolidated reference from the SO Documentation beta which is going offline  Problem Cross-site scripting is the unintended execution of remote code by a web client   Any web application might expose itself to XSS if it takes input from a user and outputs it directly on a web page   If input includes HTML or JavaScript  remote code can be executed when this content is rendered by the web client  For example  if a 3rd party side contains a JavaScript file     http   example com runme js document write  quot I m running quot     And a PHP application directly outputs a string passed into it   lt  php echo   lt div gt       GET  input       lt  div gt     If an unchecked GET parameter contains  lt script src  quot http   example com runme js quot  gt  lt  script gt  then the output of the PHP script will be   lt div gt  lt script src  quot http   example com runme js quot  gt  lt  script gt  lt  div gt   The 3rd party JavaScript will run and the user will see  quot I m running quot  on the web page  Solution As a general rule  never trust input coming from a client   Every GET parameter  POST or PUT content  and cookie value could be anything at all  and should therefore be validated   When outputting any of these values  escape them so they will not be evaluated in an unexpected way  Keep in mind that even in the simplest applications data can be moved around and it will be hard to keep track of all sources   Therefore it is a best practice to always escape output  PHP provides a few ways to escape output depending on the context  Filter Functions PHPs Filter Functions allow the input data to the php script to be sanitized or validated in many ways  They are useful when saving or outputting client input  HTML Encoding htmlspecialchars will convert any  quot HTML special characters quot  into their HTML encodings  meaning they will then not be processed as standard HTML   To fix our previous example using this method   lt  php echo   lt div gt     htmlspecialchars   GET  input        lt  div gt       or echo   lt div gt     filter input INPUT GET   input   FILTER SANITIZE SPECIAL CHARS      lt  div gt     Would output   lt div gt  amp lt script src  amp quot http   example com runme js amp quot  amp gt  amp lt  script amp gt  lt  div gt   Everything inside the  lt div gt  tag will not be interpreted as a JavaScript tag by the browser  but instead as a simple text node  The user will safely see   lt script src  quot http   example com runme js quot  gt  lt  script gt   URL Encoding When outputting a dynamically generated URL  PHP provides the urlencode function to safely output valid URLs   So  for example  if a user is able to input data that becomes part of another GET parameter   lt  php  input   urlencode   GET  input        or  input   filter input INPUT GET   input   FILTER SANITIZE URL   echo   lt a href  quot http   example com page input  quot      input     quot  gt Link lt  a gt     Any malicious input will be converted to an encoded URL parameter  Using specialised external libraries or OWASP AntiSamy lists Sometimes you will want to send HTML or other kind of code inputs  You will need to maintain a list of authorised words  white list  and un-authorized  blacklist   You can download standard lists available at the OWASP AntiSamy website  Each list is fit for a specific kind of interaction  ebay api  tinyMCE  etc      And it is open source  There are libraries existing to filter HTML and prevent XSS attacks for the general case and performing at least as well as AntiSamy lists with very easy use  For example you have HTML Purifier

User · Answer

Use htmlspecialchars on PHP  On HTML try to avoid using   element innerHTML               element outerHTML               document write        document writeln        where var is controlled by the user    Also obviously try avoiding eval var   if you have to use any of them then try JS escaping them  HTML escape them and you might have to do some more but for the basics this should be enough

User · Answer

Many frameworks help handle XSS in various ways  When rolling your own or if there s some XSS concern  we can leverage filter input array  available in PHP 5    5 2 0  PHP 7    I typically will add this snippet to my SessionController  because all calls go through there before any other controller interacts with the data  In this manner  all user input gets sanitized in 1 central location  If this is done at the beginning of a project or before your database is poisoned  you shouldn t have any issues at time of output   stops garbage in  garbage out      Prevent XSS input      GET     filter input array INPUT GET  FILTER SANITIZE STRING     POST    filter input array INPUT POST  FILTER SANITIZE STRING      I prefer not to use   REQUEST   but for those who do       REQUEST    array   POST    array   GET    array   REQUEST    The above will remove ALL HTML  amp  script tags  If you need a solution that allows safe tags  based on a whitelist  check out HTML Purifier     If your database is already poisoned or you want to deal with XSS at time of output  OWASP recommends creating a custom wrapper function for echo  and using it EVERYWHERE you output user-supplied values     xss mitigation functions function xssafe  data  encoding  UTF-8        return htmlspecialchars  data ENT QUOTES   ENT HTML401  encoding     function xecho  data       echo xssafe  data

User · Answer

Basically you need to use the function htmlspecialchars   whenever you want to output something to the browser that came from the user input   The correct way to use this function is something like this   echo htmlspecialchars  string  ENT QUOTES   UTF-8      Google Code University also has these very educational videos on Web Security     How To Break Web Software - A look at security vulnerabilities in web software  What Every Engineer Needs to Know About Security and Where to Learn It

User · Answer

One of the most important steps is to sanitize any user input before it is processed and or rendered back to the browser   PHP has some  filter  functions that can be used   The form that XSS attacks usually have is to insert a link to some off-site javascript that contains malicious intent for the user   Read more about it here   You ll also want to test your site - I can recommend the Firefox add-on XSS Me

User · Answer

You are also able to set some XSS related HTTP response headers via header          X-XSS-Protection  1  mode block    to be sure  the browser XSS protection mode is enabled      Content-Security-Policy  default-src  self          to enable browser-side content security  See this one for Content Security Policy  CSP  details  http   content-security-policy com  Especially setting up CSP to block inline-scripts and external script sources is helpful against XSS     for a general bunch of useful HTTP response headers concerning the security of you webapp  look at OWASP  https   www owasp org index php List of useful HTTP headers

User · Answer

The best way to protect your input it s use htmlentities function  Example   htmlentities  target  ENT QUOTES   UTF-8      You can get more information here

[php] How to prevent XSS with HTML/PHP?

Examples related to php

Examples related to xss