Summary: in this tutorial, you’ll learn how to use the PHP htmlspecialchars()
function to prevent XSS attacks.
What Is XSS?
XSS stands for cross-site scripting. It’s a kind of attack where a hacker injects malicious client code into a web page’s output.
For example, if you have a comment section on your page that allows legitimate users to give comments. However, if you show the plain comments, the page is vulnerable to the XSS attack.
A hacker can enter a commment with JavaScript code that redirects users to a malicious website:
<script>location.replace('<malicious website>');</script>
Code language: PHP (php)
The website will store this comment in the database and display it in the comments section. When legitimate users access the page, it’ll redirect the users to a malicious website.
To prevent XSS attacks, you should always escape the string from unknown sources such as user inputs. To escape a string for output, you use the htmlspecialchars()
function.
Introduction to the PHP htmlspecialchars() function
The htmlspecialchars()
function covnerts special characters into HTML entities:
htmlspecialchars (
string $string ,
int $flags = ENT_COMPAT ,
string|null $encoding = null ,
bool $double_encode = true
) : string
Code language: PHP (php)
The htmlspecialchars()
function accepts an input string ($string) and returns the new string with the special characters converted into HTML entities.
The following table shows the special characters that the htmlspecialchars()
function will convert to HTML entities:
Character | Name | Replacement |
---|---|---|
& | Ampersand | & |
" | Double quote | " , unless ENT_NOQUOTES is set |
' | Single quote | ' (for ENT_HTML401 flag) or ' (for ENT_XML1 , ENT_XHTML or ENT_HTML5 flag), but only when ENT_QUOTES flag is set |
< | Less than | < |
> | Greater than | > |
The $flag
is a bitmask of one or more flags that controls how the function handles the special characters.
The $encoding
specifies which encoding that the function should use when converting characters.
PHP htmlspecialchars() function example
The following example shows how to display a string on a page without escaping:
<?php
$comment = "<script>alert('Hello there');</script>";
echo $comment;
Code language: PHP (php)
If you run the code on a web browser, you’ll see an alert message.
To escape the $comment
string, you use the htmlspecialchars()
function as follows:
<?php
$comment = '<script>alert("Hello there");</script>';
echo htmlspecialchars($comment);
Code language: PHP (php)
Now, you’ll see the following string on the webpage instead:
<script>alert("Hello there");</script>
Code language: PHP (php)
When you view the source of the page, you’ll see the following code:
Summary
- XSS stands for cross-site scripting, which is a type of attack that a hacker injects malicious client code into a web page’s output.
- Use the PHP
htmlspecialchars()
function to convert special characters to HTML entities. - Always escape a string before displaying it on a webpage using the
htmlspecialchars()
function to prevent XSS attacks.