Cross site scripting XSS is a term used to refer attacks or loop holes present in the scripting used by websites favoring hackers to exploit this path towards identity theft or phishing.
In PHP, two functions are mainly used to circumvent XSS attacks.
i) htmlspecialchars
ii) htmlentities
i) htmlspecialchars($string, [$quote_option]) takes care of &, “, ‘, <, > characters by converting them into equivalent character codes. If quote option is set to ENT_QUOTES it converts ‘ – single quotes to ' and if it is set to ENT_NOQUOTES it does not convert ” – double quotes to "
ii) htmlentities() is used to escape all html characters from the text and not just the five characters mentioned above.
Note: If you do not want any html characters in the text, use strip_tags($text) instead.
Also check PEAR’s HTML_Safe library
In wikipedia, you can learn more about XSS and its classification with examples.
