Best Practices to Prevent XSS in PHP Web Apps

Best Practices to Prevent XSS in PHP Web Apps

Cross-Site Scripting is a type of security vulnerability that normally occurred in web applications and is often abbreviated as XSS. In case you’re wondering, we don’t use the abbreviation CSS because we already use that for Cascading Styles Sheets when we’re designing our web pages.

XSS was originally called cross-site because of web browser security flaws. Using XSS, you can transfer information/data from one site to another if you had both sites’ windows open in your browser. 

In this article, I will walk you through the details about the XSS and how you can prevent PHP XSS attacks on your web app.

XSS usually gets inserted through a webpage using a web form or hyperlink. This code can be used via any client-side languages such as JavaScript, PHP, HTML, VBScript. 

Nowadays, given the rampantness of past XSS vulnerabilities, browsers take security into account and don’t generally allow information to jump from one browser screen to another. It is also important to have complete awareness and knowledge about XSS attack examples in your PHP applications to be able to set up prevention measures in time. 

Practices to Prevent XSS in PHP Web Apps


Types of XSS Vulnerabilities

There are 3 main types of XSS attacks.

  1. Stored XSS 
  2. Reflected XSS
  3. Dom Based XSS (Document Object Model)

Stored XSS

Stored Cross-Site Scripting [XSS] is a very dangerous form of Cross-Site Scripting. Web applications that allow users to store data in the database are potentially exposed to this type of attack.

Stored XSS happens when an XSS attacker injects malicious code into a website with the code being saved to a database. Later on, when a web user accesses the page, he may unknowingly retrieve that file and thus the script will run in the user’s browser.

Whenever a client sends an HTTP request to the server and the server sends an HTTP to respond with malicious code because malicious code saves in the database, it will harm the client. The severity of this kind of attack is very high.

Reflected XSS

This is a type of Cross-Site Scripting in which an attacker injects some JavaScript code using any form field on a website. Whatever script will add to the browser will never affect any other user or any other users will be harmed.

Take an example of any search engine (Google, Bing). You’re able to input a query and search for any information, but what would happen if you can add scripts in the input field, and the script would perform any function? Maybe it took the user’s credentials, it took cookies information. If you have similar cookies as for any other user, you can access all their data in your browser because you ran a search into a malicious search box.


DOM stands for Document Object Model. In this



This article was written by Shahzeb Ahmed and originally published on The Official Cloudways Blog.

Disclosure: Some of the links in this post are "affiliate links." This means if you click on the link and purchase the product, We may receive an affiliate commission.

Leave a Comment

Your email address will not be published. Required fields are marked *

Show Your ❤️ Love! Like Us
Scroll to Top