How to prevent XSS in PHP

php methods to prevent xss: 1. When PHP outputs html, use htmlentities(), RemoveXss(), HTMLPurifier.auto.php for filtering; 2. When setting cookies, add the HttpOnly parameter; 3. Development When using the API, check the Referer parameter of the request.

php prevents xss

1. If PHP directly outputs html, you can use the following method. Filter:

htmlspecialchars function

htmlentities function

HTMLPurifier.auto.php plug-in

RemoveXss function

2. If PHP outputs to JS code, or develops Json API, the front end needs to be filtered in JS:

Try to use innerText (IE) and textContent (Firefox), which is jQuery's text () to output text content

You must use innerHTML and other functions, you need to do filtering similar to php's htmlspecialchars

3. Other general supplementary defenses Means

When outputting html, add the Http Header of Content Security Policy

Function: It can prevent the page from being embedded in third-party script files when it is attacked by XSS

Defects: IE or lower version browsers may not support

2. When setting cookies, add the HttpOnly parameter

Function: It can prevent the cookie information from being used when the page is attacked by XSS. Stealing, compatible to IE6

Defect: The JS code of the website itself cannot operate cookies, and its function is limited, it can only ensure the security of cookies

3. When developing API, check the request Referer parameter

Function: It can prevent CSRF attacks to a certain extent

Defect: In IE or lower version browsers, the Referer parameter can be forged

The above is the detailed content of How to prevent XSS in PHP. For more information, please follow other related articles on the PHP Chinese website!