🐘 PHP Beginner

What is XSS and how do you prevent it in PHP?

Answer

Cross-Site Scripting (XSS) is a security vulnerability where an attacker injects malicious JavaScript into web pages viewed by other users. If you output user-supplied data directly to HTML without sanitization, an attacker could inject <script>stealCookies()</script>. Prevention in PHP: always escape output using htmlspecialchars($data, ENT_QUOTES, "UTF-8") before rendering user data in HTML — this converts <, >, ", ', and & into their HTML entity equivalents. Also use Content Security Policy (CSP) headers, set the HttpOnly flag on cookies, and validate/sanitize all input. Never trust user input.