PHP: How to totally prevent XSS attacks?

Question

991.37K viewsSeptember 10, 2022javascript php xss

2

howdoi September 7, 2022 0 Comments

How can I totally prevent xss-attacks in PHP? This is assuming I do not care for any HTML tags or other formatting. Would it be enough to just run strip_tags and have it be completely safe?

2 Answers

score 4 · Answer 1 · 2022-09-08T11:32:24+00:00

Both htmlspecialchars() and strip_tags() are considered safe for cleaning user input for output on a HTML page.

Is strip_tags() vulnerable to scripting attacks?

score 1 · Answer 2 · 2022-09-08T08:47:07+00:00

The easiest way is to simply prevent any users from entering HTML tags. If you strip_tags() or htmlspecialchars() all user input then there is no way to introduce a <script> tag.

If you want to allow limited markup, then you can use a bbcode-like syntax (finding a PHP library for doing this shouldn’t be hard, though I’ve never done this myself so don’t have any recommendations on that front), or you could use HTMLpurifier to restrict the markup that users are allowed to enter.