How to prevent cross site scripting

Answer 1

this is called security issue. Cross site scripting, you have many methods to avoid it,

What's the best method for sanitizing user input with PHP?

For example if you have a option to input an email address you have to validate it like below:

<?php

$email = filter_var($_POST['username'], FILTER_SANITIZE_EMAIL);

?>

If there is a option to enter a string then you ave to validate like below

<?php
            $password = trim(filter_var($_POST['password'], FILTER_SANITIZE_STRING));

?>

In your case you have to do something like below

$Name = htmlentities($_POST['Name']);
$email = htmlentities($_POST['email']);

Instead of above, follow filter sanitizing method:

$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
$Name = trim(filter_var($_POST['Name'], FILTER_SANITIZE_STRING));

Answer 2

Do not attempt to prevent XSS attacks during input. Always escape on output.

See also: Stored XSS in Wordpress 4.2 caused by MySQL column truncation. Filtering on output would have prevented these conditions.

Instead, what you want to do is just use prepared statements and store the data naked. (You should still validate the data of course! Make sure they've given you an email address when you asked for one, etc.)

When you are pulling the data from the database to display on a webpage, that is when you want to filter. And you want to do it like this (assuming you don't need to allow users to provide some HTML):

echo htmlentities($row['column'], ENT_QUOTES | ENT_HTML5, 'UTF-8');

Why ENT_QUOTES | ENT_HTML5 and 'UTF-8'?

I'm assuming your web page is using HTML5 (i.e. <!DOCTYPE html>) and your charset is UTF-8 (i.e. in the <meta> tag as well as in the HTTP Content-Type header). Please adjust if you're using something different for either.

We specify ENT_QUOTES to tell htmlentities() to escape quote characters (" and '). This is helpful for situations such as:

<input type="text" name="field" value="<?php echo $escaped_value; ?>" />

If you failed to specify ENT_QUOTES and attacker simply needs to pass " onload="alert('XSS'); as a value to that form field and, presto! Instant client-side code execution.

We specify 'UTF-8' so htmlentities() knows what character set to work with. The reason we do this is, as demonstrated against mysql_real_escape_string(), an incorrect (especially attacker-controlled) character encoding can defeat string-based escaping strategies.

Note that this will escape all HTML special characters and prevent users from supplying any markup. If you need to allow some HTML, we outlined the best strategies for preventing XSS. In a nutshell:

• Using Twig? The below example is safe. Note the use of {% autoescape %} blocks for specifying the default strategy, but overriding it with |e('html') for other_variable:

  {% autoescape 'html_attr' %}
  <p class="{{ variable }}" id="{{ var_two }}">
      {{ other_variable|e('html') }}
  </p>
  {% endautoescape %}
  

• If all else fails, use HTML Purifier.