Web Security
Beginner
1 min read
Output Encoding and Sanitisation to Prevent XSS
Example
<?php
// PHP: context-aware output encoding
$userInput = '<script>alert("XSS")</script> & "quotes" \'apostrophe\'';
// HTML context — htmlspecialchars with correct flags
echo htmlspecialchars($userInput, ENT_QUOTES | ENT_HTML5, 'UTF-8');
// Output: <script>alert("XSS")</script> & "quotes" 'apostrophe'
// JavaScript string context — json_encode produces a safely-escaped JSON string
$jsVar = json_encode($userInput, JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_QUOT | JSON_HEX_AMP | JSON_UNESCAPED_UNICODE);
echo "<script>var userInput = {$jsVar};</script>";
// URL context — rawurlencode
$param = rawurlencode($userInput);
echo "<a href=\"/search?q={$param}\">Search</a>";
// ----------------------------------------------------------------
// HTML Purifier — allow rich HTML but strip XSS vectors
// ----------------------------------------------------------------
// require_once 'HTMLPurifier.auto.php';
// $config = HTMLPurifier_Config::createDefault();
// $config->set('HTML.Allowed', 'p,b,i,a[href],ul,ol,li,br');
// $purifier = new HTMLPurifier($config);
// $clean = $purifier->purify($dirtyHtml);
// ----------------------------------------------------------------
// JavaScript: DOMPurify for client-side sanitisation
// ----------------------------------------------------------------
// import DOMPurify from 'dompurify';
// const clean = DOMPurify.sanitize(dirtyHtml, { ALLOWED_TAGS: ['b','i','a','p'] });
// element.innerHTML = clean; // safe after purificationRelated Resources
Web Security Reference
Complete tag & property list
Web Security How-To Guides
Step-by-step practical guides
Web Security Exercises
Practice what you've learned
More in Web Security