Click here to Skip to main content
15,124,906 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Hi All,

My application is in php code. There is a search page which is vulnerable to cross-site scripting. I have used Php sanitizing filters to resolve this.
I have two versions of application. In one version its working fine.
In another version of application after using filters also application is allowing dynamic execution of scripts.

Please help me how to prevent from XSS attack/ dynamic script execution.


What I have tried:

$keyword = filter_var($_POST["tbSearch"], FILTER_SANITIZE_STRING);

$recordsperpage = 15;
$page = (is_numeric($_POST['pagination_page']) ? $_POST['pagination_page'] : 0);
$startindex = $page * $recordsperpage;

$querystring = "";
$querystring .= "search=".urlencode($keyword);
$querystring .= "&recordcount=".$recordsperpage;
$querystring .= "&startindex=".$startindex;

$keyword = preg_replace('/\s+/',' ',$keyword);

" />
Updated 13-Apr-21 5:08am
Richard Deeming 27-Mar-18 14:59pm
Preventing XSS is not about filtering the input; it's about properly encoding the output.

Cross-Site Scripting (XSS) — Survive The Deep End: PHP Security :: v1.0a1[^]

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900