How do you prevent XSS in PHP

Prevent cross-site scripting (XSS)

With cross-site scripting (XSS) the card “trustworthy website” is played. If, however, there are scripts on the pages of the website that the user trusts that are not trustworthy, this is not noticeable at first. These scripts are mostly JavaScripts that have been smuggled in by other users (in this case the culprit). So we have several framework conditions for cross-site scripting:

  • Scripts can be smuggled in (PHP program does not check user input)
  • Contents are displayed again unfiltered (PHP program does not check outputs)

This usually occurs in combination, because the programmer, who does not worry about security, ignores both points :).

In the simple case, the scripts can "only" greet all following visitors with any welcome message that pops up and has to be explicitly closed.

or shorter:

XSS attacks in themselves are annoying - but they form the basis for further attacks that are often used to gain access to sensitive data.

In the worst case, the scripts can steal the identity of the user unnoticed and the attacker can then navigate the website as an "authenticated user" and possibly (if offered) use chargeable services that are subsequently billed to the indignant user.

Note: Anyone who hoped to learn to hack here is FALSE! Hence the fictitious call of the function gives_mir_your_cookie_and_chuess (), which effectively refers to another server. Sadly, there are many sites devoted to how to become a would-be hacker without conveying the original philosophy behind it.

If you are wondering where the case occurs that a user can make entries that can be read by other users, then just think of guest books, visitor forums, etc.

The drastic thing is that such a weak point endangers the entire content of the domain. A discussion forum is added to the existing offer (e.g. a single exchange) in a quick hitch. Because you don't want to spend time or money here, you take an Outofthebox solution, which unfortunately contains these weak points, and has thus endangered the actual application.

A line in the PHP program in the form:

should be avoided if at all possible if an input that was already unfiltered during acquisition is output again unfiltered.

So it should definitely be used in the output (if you know that no HTML TAGs will also output the output using the PHP command “htmlentities”).

All critical characters are masked. The

From unsafe to improved application

Using the greatly simplified example of a guest book, the problems are dealt with step by step and the unsafe areas are explained and eliminated. The generated source code is also not a valid HTML code, but should be kept as simple as possible (used for research and teaching)

Function of the guest book in the example

Only one comment can be entered in our guest book, one line of text is sufficient for us. We give ourselves a field for name, e-mail, website. It would only inflate the example unnecessarily, but would not add to the knowledge gained. The content is also written to a text file. You can try the example at home, but you should never put the first steps online!

Depending on the web server settings, JavaScript instructions are masked. The following entry can then be found in the source code of the "gaestebuch.txt" file:

This means that the magic_quotes are set in php.ini:

And when it comes to hiring off Every time the file is called, an alert box with the output XSS is now displayed for each visitor, which must first be confirmed.

However, if the attacker enters something without quotation marks, he will bypass this setting:

With the PHP command, we now convert all external content into the corresponding HTML code. In our example, that means from the lower-case sign < wird="" nach="" der="" umwandlung="" ein:="">

Due to the conversion, execution is no longer possible, even if the entry in plain text messes up the guest book.

And when we know that no PHP and HTML TAGs are allowed, we can use the PHP function to remove all HTML and PHP commands.

After that, only “” remains of the user input “”.

And yet you will not have any pleasure in this guest book, because it is the sport of spammers at the moment to fill out all the forms that can be found anywhere. This happens automatically and therefore you will find a lot of advertising junk for Viagra and dirty pages in a very short time, which you usually do not want to have.

Are XSS attacks annoying in their own right? they often form the basis for further attacks that are used to gain access to sensitive data. XSS attacks are therefore the preparation for session hijacking, which is dealt with in the next but one chapter.

If you find a bug, please let us know (no matter if typographical or content-related error).

With a mouse Mark the faulty point and take over with the following button:

After submitting it comes here feedback! Please do not send twice. Thanks.