I have a website that serves as an advertising medium and has no login or registration or another input field, the only thing it has got is a search field, but I have taken care of sql imjection for now, I want to know where should I start for XSS prevention and what steps should I take, I have read the OWASP guidelines but they are too complicated, I need to start from simple to difficult.
You say input fields, but that's really not all that matters. You see, anything that isn't decided in PHP can be influenced by a user. With this in mind, I'm speaking of
ajax calls, and
For example, do you use user-friendly urls? In that case you probably route the url through your database? Then that is no different from an input. Any
$_POST is a vulnerability. You will always have to escape anything you get from these requests as users can influence it.
This means an ajax call where you send data through the
$_POST, or routing where you basically say (also
This would result in
$_GET['page'] and should be escaped if you're making it go through a database.