PhpRiot
News Archive
PhpRiot Newsletter
Your Email Address:

More information

Jason Stiles' Blog: How To Protect Your Site From XSS With PHP

Note: This article was originally published at PHPDeveloper on 14 June 2011.
PHPDeveloper

In a recent post to his blog Jason Stiles takes a look at some of the things you can do with PHP to help protect your site from XSS (cross-site scripting attacks) with some basic filtering.

Cross-Site Scripting (XSS) is a type of attack where a hacker attempts to inject client-side scripting into a webpage that others are able to view. The attack could be as simple as an annoying alert window or as sophisticated as stealing a logged in user's credentials (commonly saved in browser cookies). [...] Since these types of user input can immediately be displayed to other user's, the attack could be spread pretty quickly and even without your knowledge.

He provides a basic function to get you started filtering the input from your users - a "xss_protect" method that takes in the data, whether to strip HTML tags or not and an optional set of allowed tags if you do. He also asks for opinions and better methods in his comments:

No solution is going to be perfect, but at least now you have a head start! If you have ways of improving this function, let myself and everyone else know in the comments.