codingstuff.io
ExploreTutorialsProblemsCS Subjects
Get Started
ExploreTutorialsProblemsCS Subjects
Get Started
codingstuff.io

Master the art of building software through interactive tutorials, real-world problems, and guided projects.

Pune, Maharashtra, India

codingstuffmail@gmail.com

Product

  • Explore
  • Tutorials
  • Problems
  • CS Subjects

Company

  • About
  • Contact
  • Privacy Policy
  • Terms & Conditions
  • Sitemap

© 2026 codingstuff.io. All rights reserved.

Built with ❤️ for developers everywhere

/
/
All Tutorials
🐘

PHP

42 / 56 topics
40Security in PHP41Preventing SQL Injection42Cross-Site Scripting (XSS)
Tutorials/PHP/Cross-Site Scripting (XSS)
🐘PHP

Cross-Site Scripting (XSS)

Updated 2026-05-15
10 min read

Cross-Site Scripting (XSS)

Introduction

Cross-Site Scripting (XSS) is a type of security vulnerability commonly found in web applications. It occurs when an attacker injects malicious scripts into content from untrusted sources that is then served to other users. These scripts can execute within the victim's browser, potentially leading to unauthorized access or manipulation of user data.

In this tutorial, we will explore what XSS is, how it works, and how you can prevent it in PHP applications.

Concept

XSS vulnerabilities arise when a web application includes untrusted data in its output without proper validation or escaping. This allows attackers to inject scripts that execute on the client-side, which can lead to various malicious activities such as stealing cookies, session hijacking, or defacing websites.

There are three main types of XSS:

  1. Reflected XSS: The malicious script is included in a single HTTP request and reflected back to the user in the response.
  2. Stored XSS: The malicious script is stored on the server (e.g., in a database) and served to other users when they access the affected page.
  3. DOM-Based XSS: The attack occurs entirely on the client-side, where scripts manipulate the Document Object Model (DOM) based on untrusted input.

Examples

Reflected XSS Example

Let's consider a simple PHP script that echoes user input without proper escaping:

<?php
if (isset($_GET['name'])) {
    echo "Hello, " . $_GET['name'] . "!";
}
?>

If an attacker crafts a URL like http://example.com/?name=&lt;script&gt;alert('XSS')</script>, the script will be executed in the victim's browser.

Prevention

To prevent reflected XSS, always escape user input before including it in output. PHP provides several functions for this purpose:

<?php
if (isset($_GET['name'])) {
    $safeName = htmlspecialchars($_GET['name'], ENT_QUOTES, 'UTF-8');
    echo "Hello, " . $safeName . "!";
}
?>

The htmlspecialchars function converts special characters to HTML entities, preventing them from being executed as scripts.

Stored XSS Example

Consider a comment system where user comments are stored and displayed:

<?php
// Assume this is part of a larger application with database interactions
if (isset($_POST['comment'])) {
    // Store the comment in the database
    $comment = $_POST['comment'];
    // Display all comments
    echo "<div>" . $comment . "</div>";
}
?>

If an attacker posts a comment like &lt;script&gt;alert('XSS')</script>, it will be executed when other users view the page.

Prevention

Always sanitize and escape data before storing and displaying it:

<?php
// Assume this is part of a larger application with database interactions
if (isset($_POST['comment'])) {
    // Sanitize and store the comment in the database
    $safeComment = htmlspecialchars($_POST['comment'], ENT_QUOTES, 'UTF-8');
    // Display all comments
    echo "<div>" . $safeComment . "</div>";
}
?>

DOM-Based XSS Example

Consider a simple JavaScript application that updates the page based on user input:

<!DOCTYPE html>
<html lang="en">
&lt;head&gt;
    <meta charset="UTF-8">
    &lt;title&gt;DOM-Based XSS</title>
</head>
&lt;body&gt;
    <input type="text" id="userInput">
    <div id="output"></div>

    &lt;script&gt;
        document.getElementById('userInput').addEventListener('keyup', function() {
            var userInput = this.value;
            document.getElementById('output').innerHTML = userInput;
        });
    </script>
</body>
</html>

If a user enters &lt;script&gt;alert('XSS')</script> into the input field, it will be executed.

Prevention

Use textContent instead of innerHTML to prevent script execution:

<!DOCTYPE html>
<html lang="en">
&lt;head&gt;
    <meta charset="UTF-8">
    &lt;title&gt;DOM-Based XSS</title>
</head>
&lt;body&gt;
    <input type="text" id="userInput">
    <div id="output"></div>

    &lt;script&gt;
        document.getElementById('userInput').addEventListener('keyup', function() {
            var userInput = this.value;
            document.getElementById('output').textContent = userInput;
        });
    </script>
</body>
</html>

What's Next?

Now that you have a good understanding of XSS and how to prevent it in PHP applications, the next step is to explore more advanced security concepts such as Object-Oriented Programming in PHP. This will help you build more robust and secure applications.

Stay safe while coding!


PreviousPreventing SQL InjectionNext Object-Oriented Programming in PHP

Recommended Gear

Preventing SQL InjectionObject-Oriented Programming in PHP