Click here to Skip to main content
15,892,746 members
Search within:


How to secure PHP from XSS attack - filter sanitizers not working
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
HTML
PHP
Hi All,

My application is in php code. There is a search page which is vulnerable to cross-site scripting. I have used Php sanitizing filters to resolve this.
I have two versions of application. In one version its working fine.
In another version of application after using filters also application is allowing dynamic execution of scripts.

Please help me how to prevent from XSS attack/ dynamic script execution.

Thanks

What I have tried:

$keyword = filter_var($_POST["tbSearch"], FILTER_SANITIZE_STRING);

$recordsperpage = 15;
$page = (is_numeric($_POST['pagination_page']) ? $_POST['pagination_page'] : 0);
$startindex = $page * $recordsperpage;

$querystring = "";
$querystring .= "search=".urlencode($keyword);
$querystring .= "&recordcount=".$recordsperpage;
$querystring .= "&startindex=".$startindex;

$keyword = preg_replace('/\s+/',' ',$keyword);




" />
Posted
Updated 13-Apr-21 4:08am
Add a Solution
Comments
Richard Deeming 27-Mar-18 14:59pm    
Preventing XSS is not about filtering the input; it's about properly encoding the output.

Cross-Site Scripting (XSS) — Survive The Deep End: PHP Security :: v1.0a1[^]

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise
Privacy
Cookies
Terms of Use
Last Updated 13 Apr 2021
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web03 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900