How to fix XSS vulnerabilities in php

To fix the XSS vulnerability in PHP, we can use three PHP functions. These functions are mainly used to clear the HTML flag, so there is no way to inject code. More functions are htmlspecialchars (), which can convert all and symbols into and ;. Other available functions include htmlentities (), which can use the corresponding character entity "> <LINKh

To fix the XSS vulnerability in PHP, we can use three PHP functions.

These functions are mainly used to clear the HTML flag, so there is no way to inject code. More functions are htmlspecialchars (), which can convert all the "<" and ">" symbols into "<" and "> ;". Other available functions include htmlentities (), which can replace all characters with corresponding character entities ).

PHP Code:

// The code here is mainly used to show the differences between the two functions

$ Input = '';

Echo htmlspecialchars ($ input ).'

';

Echo htmlentities ($ input );

?>

Another example of htmlentities ()

PHP Code:

$ Str = "A 'quote' is bold ";

Echo htmlentities ($ str );

Echo htmlentities ($ str, ENT_QUOTES );

?>

First Display: a' quote' isBold

Second Display: a' quote' isBold

Htmlspecialchars () instance used

PHP Code:

$ New = htmlspecialchars ("Test", ENT_QUOTES );

Echo $ new;

?>

Display: Test

The strip_tags () function replaces. deletes all HTML elements (elements) except those that require special permission, such as:, or

.

Strip_tags () instance used

PHP Code:

$ Text ='

Test paragraph.

Other text ';

Echo strip_tags ($ text );

Echo "\ n ";

// Allow

Echo strip_tags ($ text ,'

');

?>

Now we have at least known these functions. when we find that our site has an XSS vulnerability, we can use the code. I recently discovered an XSS vulnerability in the video section of GoogleBig (a plug-in of the Mybb Forum) on my website, so I was wondering how to use these function write code segments to fix this search vulnerability.

First, I found the problem lies in the search. php file. now let's take a look at some of the code in the query and output query results to study it:

PHP Code:

Function search ($ query, $ page)

{

Global $ db, $ bgcolor2, $ bgcolor4, $ sitename, $ io_db, $ module_url, $ list_page_items, $ hm_index;

$ Option = trim ($ option );

$ Query = trim ($ query );

$ Query = FixQuotes (nl2br (filter_text ($ query )));

$ Db-> escape_string ($ query );

$ Db-> escape_string ($ option );

Alpha_search ($ query );

...

In this case, we use the $ query value as the variable, and then use the htmlentities () function:

PHP Code:

$ Query = FixQuotes (nl2br (filter_text (htmlentities ($ query ))));

If you have any questions about the three functions, you can use the PHP Manual to view them:

Http://it.php.net/htmlentities

Http://it2.php.net/htmlspecialchars

Http://it2.php.net/strip_tags