How to prevent XSS attack and explain the principle of XSS attack in PHP


XSS is also called CSS, full name is cross sitescript (cross site script attack). XSS attack is similar to SQL injection attack, which is a common vulnerability in Web programs. XSS is a passive and client-side attack, so it is easy to be ignored. Its principle is that the attacker inputs (passes in) malicious HTML code to the website with XSS vulnerability. When the user browses the website, this HTML code will execute automatically, so as to achieve the purpose of attack. For example, stealing user cookie information, destroying page structure, redirecting to other websites, etc.

In theory, as long as there are forms that can provide input without security filtering or incomplete filtering, there may be XSS vulnerabilities.

Here are some of the simplest and more common malicious character XSS inputs:

1. XSS input usually contains JavaScript script, such as a malicious warning box:<script>alert("XSS");</script>

2. XSS input may also be HTML code segments, such as:

  • (1) . constantly refresh the page<meta http-equiv="refresh" content="0;">
  • (2) . embed links to other websites<iframe src=http://xxxx width=250 height=250></iframe>

In addition to entering XSS attack characters through normal channels, JavaScript verification can be bypassed and XSS attack can be achieved by modifying the request, as shown in the following figure:

After learning the principle and harm of XSS attack, it is not difficult to prevent it. Here is a simple PHP function to prevent XSS attack:

 * @param $string
 *@ param $low security level
function clean_xss(&$string, $low = False)
 if (! is_array ( $string ))
 $string = trim ( $string );
 $string = strip_tags ( $string );
 $string = htmlspecialchars ( $string );
 if ($low)
  return True;
 $string = str_replace ( array ('"', "\", "'", "/", "..", "../", "./", "//" ), '', $string );
 $no = '/%0[0-8bcef]/';
 $string = preg_replace ( $no, '', $string );
 $no = '/%1[0-9a-f]/';
 $string = preg_replace ( $no, '', $string );
 $no = '/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S';
 $string = preg_replace ( $no, '', $string );
 return True;
 $keys = array_keys ( $string );
 foreach ( $keys as $key )
 clean_xss ( $string [$key] );
//just a test
$str = '<meta http-equiv="refresh" content="0;">';
clean_ XSS ($STR); // if you comment this out, you will know that XSS attack is very powerful
echo $str;

Settings in PHP

Php5.2 and above are supportedHttpOnlyThe parameter setting also supports the global httponly setting php.ini in

session.cookie_httponly = 

Set its value to 1 or true to enable the httponly property of the global cookie. Of course, it also supports opening in the code:

<?php ini_set("session.cookie_httponly", 1);  
// or session_set_cookie_params(0, NULL, NULL, NULL, TRUE);  

Cookie operation function setcookie function and setrawcookie function also add the 7th parameter as the option of httponly. The opening method is as follows:

setcookie("abc", "test", NULL, NULL, NULL, NULL, TRUE);  
setrawcookie("abc", "test", NULL, NULL, NULL, NULL, TRUE); 

Let’s not talk about the old version of PHP. No business.


The above is the whole content of this article. I hope that the content of this article has some reference learning value for your study or work. Thank you for your support for developepaer. If you want to know more about it, please check the relevant links below