Open in app

Sign in

Write

Sign in

Preventing Cross-Site Scripting (XSS) Attacks with the HTML Special Characters Function in PHP

ParagBagul
3 min readJan 11, 2023

--

Introduction:

Cross-Site Scripting (XSS) attacks are a type of injection attack where an attacker injects malicious code into a website. This code is then executed in the browser of a user who visits the website, allowing the attacker to steal sensitive information such as login credentials or to perform actions on behalf of the user.

what is use of htmlspecialchar()

The htmlspecialchars() function is used to convert special characters to their HTML entity equivalents.These HTML entities are character codes that represent special characters in HTML. They are used to display special characters on a web page and are not executed by the browse. It is used to prevent Cross-Site Scripting (XSS) attacks.

Setup vulnerable lab for cross site scripting :-

1.Open text editor and paste the below front end code with index.html filename.

Frontend code:

<!DOCTYPE html>
<html>
<head>
 <title>XSS Vulnerable Lab</title>
</head>
<body>
 <form action="display.php" method="post">
 <label for="name">Name:</label><br>
 <input type="text" id="name" name="name"><br>
 <label for="city">City:</label><br>
 <input type="text" id="city" name="city"><br><br>
 <input type="submit" value="Submit">
 </form>
</body>
</html>

2.This form will submit the user input to the display.php file when the submit button is clicked. The display.php file could contain the following code to print the user input on the screen:

Paste below code in texteditor and save the code in display.php file.

<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
 $name = $_POST['name'];
 $city = $_POST['city'];
echo "Name: $name<br>";
 echo "City: $city<br>";
}
?>

3.Starting PHP server open terminal and fire below command on terminal.

php -S 127.0.0.1:80

The command starts a built-in web server for PHP. It listens on the IP address 127.0.0.1, which is the loopback address (also known as "localhost"), and on port 80.

This will start the web server and you will be able to access your PHP scripts by going to http://127.0.0.1 in your web browser.

After that open below URL in your favorite browser

http://127.0.0.1:80

Now our dam vulnerable lab of cross site scripting is ready

Performing cross site attack on our vulnerable lab:

Enter random name and city in both input field

Now append below cross site scripting payload with user input name field value.

Payload : <script>alert("hacked")</script>

Payload executed.

Preventing cross site scripting vulnerability:

This will encode any special characters in the user input, such as < and >, which will prevent an attacker from injecting malicious code into your website.

<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
  $name = htmlspecialchars($_POST['name']);
  $city = htmlspecialchars($_POST['city']);
  echo "Name: $name<br>";
  echo "City: $city<br>";
}
?>

Retesting vulnerable lab after adding htmlspecialchar function.

In retest phase our javascript payload not executed

I’m grateful to have such thoughtful readers like you. Thank you for your kind attention.

Thank you,

Parag Bagul!!

HaxWizard

Web Security
Bug Bounty
Web Development
Hacking For Defense

--

--

ParagBagul

Written by ParagBagul

156 Followers

👋 Hii, I'm Parag Bagul 🙋🧑‍💻I'm interested in web and mobile application security.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams