How do I HTML Encode all the output in a web application?

Question

I want to prevent XSS attacks in my web application. I found that HTML Encoding the output can really prevent XSS attacks. Now the problem is that how do I HTML encode every

Answer 1

You could wrap echo / print etc. in your own methods which you can then use to escape output. i.e. instead of

echo "blah";

use

myecho('blah');

you could even have a second param that turns off escaping if you need it.

In one project we had a debug mode in our output functions which made all the output text going through our method invisible. Then we knew that anything left on the screen HADN'T been escaped! Was very useful tracking down those naughty unescaped bits :)