Home > Backend Development > PHP Tutorial > The ultimate solution to defend against XSS injection in PHP

The ultimate solution to defend against XSS injection in PHP

藏色散人
Release: 2023-04-08 07:36:02
forward
3530 people have browsed it

PHP’s ultimate solution to defend against XSS injection [Information Security] [Hack]

1: If PHP directly outputs html, you can use the following methods to filter:

1.htmlspecialchars function

2.htmlentities function

3.HTMLPurifier.auto.php plug-in

4.RemoveXss function (Baidu can Found)

2: If PHP outputs to JS code, or develops Json API, the front end needs to filter in JS:

1. Try to use innerText (IE) and textContent (Firefox), that is, jQuery's text() to output text content

2. If you must use innerHTML and other functions, you need to do filtering similar to php's htmlspecialchars (refer to @eechen's Answer)

Three: Other general supplementary defense methods

1. When outputting HTML, add the Http Header of Content Security Policy

(Function: It can prevent the page from being attacked by XSS, embedding third-party script files, etc.)

(Defect: IE or lower version browsers may not support it)

2. In settings When using cookies, add the HttpOnly parameter

(function: it can prevent cookie information from being stolen when the page is attacked by XSS, and is compatible with IE6)

(defect: the JS code of the website itself is also Cookies cannot be operated, and their function is limited. They can only ensure the security of cookies)

3. When developing APIs, check the Referer parameter of the request

(Function: It can prevent CSRF attacks to a certain extent. )

(Defect: In IE or lower version browsers, the Referer parameter can be forged)

For more PHP related knowledge, please visit PHP Tutorial!

The above is the detailed content of The ultimate solution to defend against XSS injection in PHP. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
php
source:csdn.net
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template