I need to make my code secure from XSS, so far I have found out that I have to escape my html,
I know I have to escape the following:
You say input fields, but that's really not all that matters. You see, anything that isn't decided in PHP can be influenced by a user. With this in mind, I'm speaking of
ajax calls, and
For example, do you use user-friendly urls? In that case you probably route the url through your database? Then that is no different from an input. Any
$_POST is a vulnerability. You will always have to escape anything you get from these requests as users can influence it.
This means an ajax call where you send data through the
$_POST, or routing where you basically say (also
This would result in
$_GET['page'] and should be escaped if you're making it go through a database.