- The first sign of an application being vulnerable to XSS is that, in the page, it reflects the exact input given by the user. So try not to use user-given information to build output text.
- When you need to put user-provided data in the output page, validate such data
to prevent the insertion of any type of code. We already saw how to do that in the
A1 - Preventing injection attacks section.
- If, for some reason, the user is allowed to input special characters or code fragments, sanitize or properly encode the text before inserting it in the output.
- For sanitization, filter_var can be used in PHP; for example, if you want to have only email valid characters in the following string:
<?php $email = "john(.doe)@exa//mple.com"; ...