PHP Sanitize XSS
Here is a simple PHP function I use to prevent XSS attacks. Use it to sanitize any user-input or otherwise unknown variables before use.
function sanitize_xss($value) {
return htmlspecialchars(strip_tags($value));
}This function does two things to sanitize the input $value and protect against XSS:
- Removes all PHP and HTML tags via strip_tags()
- Converts all special characters to their HTML-entity equivalents via tmlspecialchars()
When combined, these two functions eliminate any chance of a successful XSS attack. All tags are removed and all quotes and other special characters are encoded. So yeah, XSS is not gonna happen when using the sanitize_xss() function provided above.
Example
For those who may be new to PHP, here is an example of how this function would be used. Let’s say that you have a variable named $user_input that you want to sanitize before echoing to the browser. All you need to do is:
<?php echo sanitize_xss($user_input); ?>
..and kiss XSS goodbye ;)
★ Pro Tip:
WordPress Resources
![[ GA Pro: WordPress + Google Analytics ]](/wp/wp-content/uploads/go/250x250-ga-pro.jpg)
![[ Banhammer Pro: Hammer the Enemy ]](/wp/wp-content/uploads/go/250x250-banhammer.jpg)
![[ SAC Pro: WordPress Chat Plugin ]](/wp/wp-content/uploads/go/250x250-sac-pro.jpg)
![[ .htaccess made easy ]](/wp/wp-content/uploads/go/250x250-htaccess-made-easy.jpg)
![[ BBQ Pro: Advanced WordPress Firewall ]](/wp/wp-content/uploads/go/250x250-bbq-pro.jpg)
![[ Digging Into WordPress ]](/wp/wp-content/uploads/go/250x250-digging-into-wordpress.jpg)