php methods to prevent xss: 1. When PHP outputs html, use htmlentities(), RemoveXss(), HTMLPurifier.auto.php for filtering; 2. When setting cookies, add the HttpOnly parameter; 3. Development When using the API, check the Referer parameter of the request.
php prevents xss
1. If PHP directly outputs html, you can use the following method. Filter:
htmlspecialchars function
htmlentities function
HTMLPurifier.auto.php plug-in
RemoveXss function
2. If PHP outputs to JS code, or develops Json API, the front end needs to be filtered in JS:
Try to use innerText (IE) and textContent (Firefox), which is jQuery's text () to output text content
You must use innerHTML and other functions, you need to do filtering similar to php's htmlspecialchars
3. Other general supplementary defenses Means
When outputting html, add the Http Header of Content Security Policy
Function: It can prevent the page from being embedded in third-party script files when it is attacked by XSS
Defects: IE or lower version browsers may not support
2. When setting cookies, add the HttpOnly parameter
Function: It can prevent the cookie information from being used when the page is attacked by XSS. Stealing, compatible to IE6
Defect: The JS code of the website itself cannot operate cookies, and its function is limited, it can only ensure the security of cookies
3. When developing API, check the request Referer parameter
Function: It can prevent CSRF attacks to a certain extent
Defect: In IE or lower version browsers, the Referer parameter can be forged
The above is the detailed content of How to prevent XSS in PHP. For more information, please follow other related articles on the PHP Chinese website!