Serjio Serjio - 5 months ago 9x
HTML Question

Escaping in Html

I need to make my code secure from XSS, so far I have found out that I have to escape my html,

I know I have to escape the following:

< &lt;
> &gt;
( &#40;
) &#41;
# &#35;
& &amp;
" &quot;

I change the above characters in my code but the code shows as a string on the browser, I do not know where to escape them and basically how to escape them in order to work correctly, can anyone help on this?


You say input fields, but that's really not all that matters. You see, anything that isn't decided in PHP can be influenced by a user. With this in mind, I'm speaking of ajax calls, and routing.

For example, do you use user-friendly urls? In that case you probably route the url through your database? Then that is no different from an input. Any $_GET or $_POST is a vulnerability. You will always have to escape anything you get from these requests as users can influence it.

This means an ajax call where you send data through the $_GET or $_POST, or routing where you basically say (also $_GET) index.php?page=pagename.

This would result in $_GET['page'] and should be escaped if you're making it go through a database.