I am not able to fix Cross Site Scripting (XSS) on our site. I am sanitizing the input. Some part of code is as follows
$smecompname = $_POST['companyname'];
$companyname = strip_tags(trim($smecompname));
$companyname = htmlspecialchars($companyname);
$companyname = $this->validateInput($companyname);
protected function validateInput($data) {
$data = preg_replace('/[^\p{Arabic}\dA-Za-z0-9 !@#%^&*_.-]/ui', ' ', $data);
$data = htmlspecialchars($data);
$data = html_entity_decode($data);
return $data; }
Client is using some kind of testing tools and there comment is Cross Site Scripting (XSS) can happen to site. Please advice what else I can do to fix the issue.
Can we fix the issue using .htaccess file. thank you.
We can leverage filter_input_array (available in PHP 5 >= 5.2.0, PHP 7.) I typically will add this snippet to my SessionController, because all calls go through there before any other controller interacts with the data. In this manner, all user input gets sanitized in 1 central location. If this is done at the beginning of a project or before your database is poisoned, you shouldn't have any issues at time of output...stops garbage in, garbage out.
/* Prevent XSS input */
$_GET = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING);
$_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
/* I prefer not to use $_REQUEST...but for those who do: */
$_REQUEST = (array)$_POST + (array)$_GET + (array)$_REQUEST;