Protection Against Cross Site Scripting Guide

Protection Against Cross Site Scripting

Hello friend to day i will be teaching you how you can do Protection Against Cross Site Scripting in your website this is really easy.

What is Cross Site Scripting :-

This is a kind of injection attack in which the attacker uses malicious script and perform malicious action. This is a client side vulnerability and it is executed in the browser and the attacker can you that malicious code to access of the session cookies , tokens, and other sensitive information on the site. These scripts can even rewrite the code of the web page. More information about it can be seen on OWASP.

What are the reasons which cause XSS :-

This attack is caused when the user input is not being sensitized properly and is forwarded without any verification this lead to Cross Site Scripting  and the output is generated with out filtering it or encoding it.

Methods used for Protection Against Cross site Scripting:-

So here i will discuss some of the most common used methods for the protection of XSS so here are some important points you should have in mind while creating a web application.

  • If you are taking any user input on the page then you must filter it by using PHP function  htmlentities() by using this function the text will be seen fine but the attack will not launch.
  • Keep your <script> tag secured.
  • Don’t allow untrusted data in :-
      • <script>….</script> tag
      • an attribute name like <div something=else>
      • tag name like <something>
  • Never accept Javascript to be inserted in to your page nothing will prevent XSS if you do that.
  • When ever you want to put user input information on your page like :-
    • attributes like value=
    • CSS values Like font-size
    • HTML url attributes like  <a href=
    • Escape all characters with  ASCII values less than 256 (except for alphanumeric values) with the &#xxx; format.
  • If you want to give your user the ability to use HTML tags in the comments don’t allow then to use any HTML tags. Use regular expressions to convert  [b]….[/b] in to HTML.
  • And if you are using GET parameter to display the information then it is a simple fix just validate the user input but if you are have a big web application then there may be some complexities .
  • Reminder that the attacker just don’t have to use the <script>  to do XSS attacks he can use <b onmouseover=alert(‘you have been hacked’)>text</b>  


Now as i have given a brief overview of how to prevent this attack here is a video demonstration .


If you liked this post do like it and share it with your friends and like our fan pages.


Please enter your comment!
Please enter your name here