## What Will I Learn?
In this tutorial, We will be learning about what is cross site scripting and how create a filter to prevent xss attack. Cross site scripting is very common bug in most of websites. Some of companies eg. Google, Facebook, Yahoo etc give bounty to reporter. 

## Requirements
- WAMP/MAMP/LAMP/XAMPP or any other PHP/MySQL web stack package
- Notepad++/Sublime
- Basic knowledge on HTML, PHP

## Difficulty
- Intermediate

## What is Cross Site Scripting?
Injecting javascript into a website to steal user's cookies or any other credential to get control on any particular victim's account is known as Cross Site Scripting, It is also known as XSS.

#### Types Of Cross Site Scripting :
- ###### Stored XSS
In this type of XSS, Javascript payload will be stored in any particular page and whenever any user try to open it, Then all data which is saved in its cookies will goes to attacker. For example, We have a blogging website, which don't have any filter against XSS. Attacker will add 
``` language
<script>alert(document.cookies)</script>
```
this in his blog and this code will show you popup with visitors cookies. So as you know by the name script will stay stored in a page, where attacker inserted that above javascript.
- ###### Reflected XSS
In this type of XSS, Code doesn't stored in page as we learned in stored xss.  As we can see in example below, Attacker add javascript code in q parameter. Attacker will send it to victim in email or anywhere else. Attacker will make victim to click by wrapping URL in <a> tag
``` language
https://example.com/news?q=<script>alert(document.cookies)</script>
```
- ###### DOM Based XSS
DOM based XSS is totally different from above two type. It is mainly based upon DOM. So it means we can use it only in DOM.
## PHP Normal Code

``` language
<?php
$search = $_GET['search'];
echo 'Search results for '.$search;
?>
```
In this code, We have a variable $ search as well as a parameter name which is also search. The method we are using is GET. When we execute this code, it will like this <br>
**URL :** http://localhost/xss1.php?search=Hello <br>
**Output:** Search results for Hello

But there no any kind of restriction in this code to filter the xss or any other injection. So if attacker add < script >alert(1) </ script > in parameter of search. Then result will be
![1xss.png](https://cdn.utopian.io/posts/68d03ca0fd3bf61835ef00c3874c912419a31xss.png)

## Filter to prevent XSS
``` language
<?php
$search = $_GET['search'];
$search = htmlspecialchars($search, ENT_QUOTES, 'UTF-8');
echo 'Search results for '.$search;
?>
```
In this code, We have add filter which is **htmlspecialchars** and **ENT_QUOTES **will convert all double and single quotes into plain text. Unrecognized character-sets will ignore and replace with its **UTF8**.
![1xss.png](https://cdn.utopian.io/posts/8a9da6efdf9748b44f0b5537777d5c1d31801xss.png)
As we can see in output, All code will be execute in normal text. Any kind of code cant be execute till now. There more ways to prevent but the best way to prevent account to me and php development website is this. No one can bypass this filter till now. 
    

<br /><hr/><em>Posted on <a href="https://utopian.io/utopian-io/@karannanda/php-security-cross-site-scripting">Utopian.io -  Rewarding Open Source Contributors</a></em><hr/>