The ultimate solution to defend against XSS injection in PHP

PHP’s ultimate solution to defend against XSS injection [Information Security] [Hack]

1: If PHP directly outputs html, you can use the following methods to filter:

1.htmlspecialchars function

2.htmlentities function

3.HTMLPurifier.auto.php plug-in

4.RemoveXss function (Baidu can Found)

2: If PHP outputs to JS code, or develops Json API, the front end needs to filter in JS:

1. Try to use innerText (IE) and textContent (Firefox), that is, jQuery's text() to output text content

2. If you must use innerHTML and other functions, you need to do filtering similar to php's htmlspecialchars (refer to @eechen's Answer)

Three: Other general supplementary defense methods

1. When outputting HTML, add the Http Header of Content Security Policy

(Function: It can prevent the page from being attacked by XSS, embedding third-party script files, etc.)

(Defect: IE or lower version browsers may not support it)

2. In settings When using cookies, add the HttpOnly parameter

(function: it can prevent cookie information from being stolen when the page is attacked by XSS, and is compatible with IE6)

(defect: the JS code of the website itself is also Cookies cannot be operated, and their function is limited. They can only ensure the security of cookies)

3. When developing APIs, check the Referer parameter of the request

(Function: It can prevent CSRF attacks to a certain extent. )

(Defect: In IE or lower version browsers, the Referer parameter can be forged)

For more PHP related knowledge, please visit PHP Tutorial!

The above is the detailed content of The ultimate solution to defend against XSS injection in PHP. For more information, please follow other related articles on the PHP Chinese website!