PHP

HTML Escaping User Input to Prevent XSS

Learn to prevent Cross-Site Scripting (XSS) attacks by properly escaping user-provided data before rendering it in HTML, ensuring secure web applications.

function escapeHtml(string $data): string {
    return htmlspecialchars($data, ENT_QUOTES | ENT_HTML5, 'UTF-8');
}

// Example usage:
$user_input = "<script>alert('You've been hacked!');</script><b>Hello!</b>";
$safe_output = escapeHtml($user_input);
echo $safe_output; // Outputs: &lt;script&gt;alert(&#039;You&#039;ve been hacked!&#039;);&lt;/script&gt;&lt;b&gt;Hello!&lt;/b&gt;

How it works: This PHP snippet demonstrates how to prevent Cross-Site Scripting (XSS) vulnerabilities by escaping user-provided input using `htmlspecialchars()`. The function converts special characters like `<`, `>`, `&`, `"`, and `'` into their corresponding HTML entities. This ensures that malicious scripts embedded in user input are rendered as text rather than executable code in the browser, thereby safeguarding the application and its users.

Need help integrating this into your project?

Our team of expert developers can help you build your custom application from scratch.

Hire DigitalCodeLabs

HTML Escaping User Input to Prevent XSS

Related PHP Snippets

Secure Password Hashing and Verification

Prevent SQL Injection with Prepared Statements (PDO)

Find Common Key-Value Pairs in Associative Arrays

Need help integrating this into your project?