PHP

Sanitize User Input to Prevent Cross-Site Scripting (XSS)

Learn to safely sanitize user-supplied data on the server-side to prevent Cross-Site Scripting (XSS) attacks before displaying it in your web application.

<?php
// Example of unsanitized user input
$userInputRaw = "<script>alert('XSS Attack!');</script><h1>Malicious Heading</h1>";
$userCommentRaw = "Hello, <img src='x' onerror='alert(\"XSS\")'> User!";

// --- Basic Output Escaping (displaying user input in HTML) ---
// The most crucial defense against XSS when outputting user data into HTML.
$sanitizedOutput = htmlspecialchars($userInputRaw, ENT_QUOTES, 'UTF-8');
echo "<div>Output using htmlspecialchars: " . $sanitizedOutput . "</div>
";

$sanitizedComment = htmlspecialchars($userCommentRaw, ENT_QUOTES, 'UTF-8');
echo "<p>Comment using htmlspecialchars: " . $sanitizedComment . "</p>
";

// --- More Advanced Sanitization (e.g., allowing specific HTML tags) ---
// If you need to allow *some* HTML, a dedicated library is recommended (e.g., HTML Purifier).
// NEVER use strip_tags() alone for XSS prevention if you allow any HTML, as it's insufficient.

// Example using a hypothetical 'sanitization' function (simplified, for illustration only)
// In a real application, use a robust library like HTML Purifier.
function safeHtmlForDisplay($html) {
    // Remove unwanted tags, attributes, and script injection attempts
    // This is a very basic example and not fully secure for all cases.
    $html = preg_replace('/<script\b[^>]*>(.*?)<\/script>/is', "", $html); // Remove script tags
    $html = strip_tags($html, '<b><i><em><strong><a><p><span>'); // Allow only specific tags
    $html = htmlspecialchars($html, ENT_QUOTES, 'UTF-8'); // Escape everything else
    return $html; 
}

$userInputWithAllowedTags = "<p>This is <b>bold</b> and <i>italic</i>. <script>alert('XSS');</script> <a href='javascript:alert(\"XSS\")'>Click me</a></p>";
$safelyFilteredHtml = safeHtmlForDisplay($userInputWithAllowedTags);
echo "<div style='border:1px solid #ccc; padding:10px;'>Filtered HTML: " . $safelyFilteredHtml . "</div>
";

// Notice how script tags and javascript: URLs are removed/escaped
?>
How it works: This PHP snippet demonstrates essential practices for sanitizing user input to prevent Cross-Site Scripting (XSS) attacks. The primary defense for displaying user-generated content in HTML is `htmlspecialchars()`, which converts special characters (like `<`, `>`, `&`, `'`, `"`) into their HTML entities, rendering them harmless. For scenarios where allowing a specific subset of HTML tags is required, relying solely on `strip_tags()` or regex is insufficient and risky. Instead, robust, dedicated HTML sanitization libraries like HTML Purifier are strongly recommended to safely filter and whitelist allowed HTML while stripping out malicious content and attributes.

Need help integrating this into your project?

Our team of expert developers can help you build your custom application from scratch.

Hire DigitalCodeLabs