Cross Site Scripting - XSS
To output data to the client use the function out()
This function takes 1 argument which is the data you want to send in the response. It is just like using echo but it prevents XSS.
<?php $text = '<script>alert()</script>'; // Not secure. XSS vulnerable // Will show an alert echo $text; // Secure. No XSS! // Will show the text: // <script>alert()</script> out($text);
Should I worried about XSS?
Cross Site Scripting is a well known attack and easy to create. If you allow users to interact with your website by letting them post, blog, or any time of action that lets them insert data in your database, then your site is vulnerable to this type of attack.
Should you always use out()?
You should never trust the data entered by a user. Therefore it is better to always sanitize the output. PHP uses echo to respond to a request, but this function is not secure because it doesn't sanitize the data. Use out() in stead of echo.
Is out() enough againt XSS?
If you use out() everywhere in the page, you will be secured and protected against Cross Site Scripting (XSS).