What are the best practices for avoiding xss attacks in a PHP site

Mar 12, 2012   //   by phpfreelancer.biz   //   Blog, PHP Tutorial  //  No Comments

have PHP configured so that magic quotes are on and register globals are off.

I do my best to always call htmlentities() for anything I am outputing that is derived from user input.

Escaping input is not the best you can do for successful XSS prevention. Also output must be escaped. If you use Smarty template engine, you may use |escape:’htmlall’ modifier to convert all sensitive characters to HTML entities (I use own |e modifier which is alias to the above).

My approach to input/output security is:

store user input not modified (no HTML escaping on input, only DB-aware escaping done via PDO prepared statements)
escape on output, depending on what output format you use (e.g. HTML and JSON need different escaping rules)

Leave a comment

Share This Post

RSS Wordpress News