My application is in php code. There is a search page which is vulnerable to cross-site scripting. I have used Php sanitizing filters to resolve this.
I have two versions of application. In one version its working fine.
In another version of application after using filters also application is allowing dynamic execution of scripts.
Please help me how to prevent from XSS attack/ dynamic script execution.
What I have tried:
$keyword = filter_var($_POST["tbSearch"], FILTER_SANITIZE_STRING);
$recordsperpage = 15;
$page = (is_numeric($_POST['pagination_page']) ? $_POST['pagination_page'] : 0);
$startindex = $page * $recordsperpage;
$querystring = "";
$querystring .= "search=".urlencode($keyword);
$querystring .= "&recordcount=".$recordsperpage;
$querystring .= "&startindex=".$startindex;
$keyword = preg_replace('/\s+/',' ',$keyword);