0

I am printing directly form the url like 

if(isset($_GET['name']){
   echo $_GET['name'])
}

but my friend told me that its bad and vulnerable to XSS now how is it bad and what should i do to prevent XSS?

IE kills stay away from it
  • 184
  • 1
  • 12

1 Answers1

1

just wrap content that should not contain tags in htmlspecialchars

echo htmlspecialchars($_GET["name"]);
Orangepill
  • 24,500
  • 3
  • 42
  • 63
  • so you mean i should use this function everywhere when i want to echo content ..taken by user ? – IE kills stay away from it Jul 11 '13 at 04:39
  • Definitely a good start, but note that `htmlspecialchars` alone is not a silver bullet against XSS, especially when putting user input into HTML attributes, for example. It's all about context; what you specifically do with the user input. – Wesley Murch Jul 11 '13 at 04:47