Web application security is a key component of any web-based application.
Due to security flaws in web browsers, XSS was first known as cross-site. If you had the windows for both sites active in your browser, you could use XSS to move information/data from one site to the other.
In this post, I will walk you through the details about the XSS and how you can prevent XSS attacks on your PHP web app.
Cross-Site Scripting (XSS)
What is XSS?
It is the unintended execution of remote code by a web client. An attacker can use XSS to send a malicious script to an unsuspecting user.
Any web application might expose itself to XSS if it takes input from a user and outputs it directly on a web page.
How do XSS Occur
XSS is typically added using a web form or hyperlink on a webpage. Any client-side language, including JavaScript, PHP, HTML, and VBScript, can use this code.
Data inputs coming from a client should never be trusted. GET, POST, and COOKIE values can be anything at all, and should therefore be validated before outputting them.
PHP provides a few ways to do this.
1️⃣HTML Encoding:
PHP htmlspecialchars function will convert any HTML special characters into their HTML encodings, meaning they will then not be processed as standard HTML
SYNTHAX
<?php
// GET
$input = htmlspecialchars($_GET['input']);
// POST
$input = htmlspecialchars($_POST['input'])
?>
2️⃣URL Encoding:
When outputting a dynamically generated URL, PHP provides the urlencode function to safely output validated or sanitized URLs.
SYNTHAX
<?php
$input = urlencode($_GET['input']);
?>
Any malicious input will be converted to an encoded URL parameter.
3️⃣THIRD PARTY PHP LIBRARIES:
There are several third party PHP libraries which are commonly used to assist in XSS prevention.
Examples👇
HTML Purifier – here
PHP Anti-XSS – here
htmLawed – here
🗝Using PHP Filter Functions.
This function Sanitizes or Validates data sent to the PHP script in many ways.
Note✍
The PHP STRIP_TAGS() should NOT be used exclusively for sanitizing data. strip_tags() removes content between HTML tags and cannot prevent XSS instances that exist within HTML entity attributes. strip_tags() also does not filter or encode non-paired closing angle brackets.
Conclusion
Cross-Site Scripting is a versatile attack. It could be used to steal highly sensitive data, including user credentials, cookies, and data that has economic value.
What other ways can we prevent XSS. Kindly Share your ideas in the comments below👇