What are cross-site scripting (XSS ) Attacks?
Example of cross-site scripting (xss) attack
Let us suppose that there is a comment form in the Michael’s website of a section like photo gallary or article. He created a feature that let his viewers to comment on his photos or article by submitting a form. And he doesnot have much validation in this comment form.
Now Sam (inturder) visits the Michael‘s website and he’s jealous of Michael‘s website traffic and wants to steal some of his website’s traffic. Then he can insert the follow code to his comment form
Hi Michael, very gud job, keep it up! <img src=”http://google.com/images/logo.gif” onload=”window.location=’http://sam.com/'” />
And every time a user visits Michael’s article or photos, they are rudely redirected to sam’s site.
Prevention from xss attack In php
Or you can you Use htmlspecialchars() to convert HTML characters into HTML entities. So characters like <> that mark the beginning/end of a tag are turned into html entities and you can use strip_tags() to only allow some tags as the function does not strip out harmful attributes like the onclick or onload.