Cross-site scripting, as seen previously, happens when the data shown to the user is not correctly encoded and the browser interprets it as a script code and executes it. This also has an input validation factor, as a malicious code is usually inserted through input variables.
In this recipe, we will cover the input validation and output encoding required for developers to prevent XSS vulnerabilities in their applications.
filter_var
can be used; for example, if you want to have only e-mail valid characters in the string:<?php $email = "john(.doe)@exa//mple.com"; $email = filter_var($email, FILTER_SANITIZE_EMAIL); echo $email; ?>
For encoding, you can use htmlspecialchars
in PHP:
<?php $str = "The JavaScript HTML tags are <script> for opening, and </script> for closing."; echo htmlspecialchars($str); ?>
Apart from a proper input validation and not using user inputs as output information, sanitization and encoding are key aspects in preventing XSS.
Sanitization means removing the characters that are not allowed from the string; this is useful when no special characters should exist in input strings.
Encoding converts special characters to their HTML code representations; for example, "&" to "&" or "<" to "<". Some applications allow the use of special characters in input strings; for them sanitization is not an option, so they should encode the inputs before inserting them into the page and storing them in the database.
18.116.36.194