The primary reason for cross-site script attacks is the trust of developers for users. Developers easily think that users will never try to perform anything wrong, so they create applications without using any extra efforts to filter user input in order to block any malicious activity. Another reason is that this attack has so many variants. Sometimes, an application that properly tries to filter any malicious scripts gets confused and allows a script. In the past few months, we have seen many different kind of XSS vectors that can bypass most of the available XSS filters.

So we can never say that a website is fully protected. But we can do our best to filter most of the things, because extraordinary vectors mostly come from responsible security researchers and they will also help you in patching and making your filter smarter.

How to Create a good XSS Filter to Block Most XSS Vectors

Before we start creating a XSS filter, I want to say one important thing: We can never claim to have a perfect XSS filter. Researchers always find weird ways to bypass filters. But we can try to make a filter that can filter easy and well-known XSS vectors. At least you will be safe from script kiddies.

If you do not have an understanding of XSS, you cannot patch XSS. You should have an idea how attackers inject scripts. You should have knowledge of XSS vectors.

Let us start with basic filters:

There is a simple rule that you need to follow everywhere: Encode every datum that is given by a user. If data is not given by a user but supplied via the GET parameter, encode these data too. Even a POST form can contain XSS vectors. So, every time you are going to use a variable value on the website, try cleaning for XSS.

These are the main data that must be properly sanitized before being used on your website.

  • The URL
  • HTTP referrer objects
  • GET parameters from a form
  • POST parameters from a form
  • Window.location
  • Document.referrer
  • document.location
  • document.URL
  • document.URLUnencoded
  • cookie data
  • headers data
  • database data, if not properly validated on user input

First of all, encode all <, >, ‘ and “. This should be the first step of your XSS filter. See encoding below:

  • & –> &amp;
  • < –> &lt;
  • > –> &gt;
  • ” –> &quot;
  • ‘ –> &#x27;
  • / –> &#x2F;

For this, you can use the htmlspecialchars() function in PHP. It encodes all HTML tags and special characters.

$input = htmlspecialchars($input, ENT_QUOTES);

If the $input was= “><script>alert(1)</script>

this function would convert it into &quot;&gt;&lt;script&gt;prompt(1)&lt;/script&gt;

This line also helps when an encoded value is used somewhere by decoding it:

$input = str_replace(array(‘&amp;’,’&lt;’,’&gt;’), array(‘&amp;amp;’,’&amp;lt;’,’&amp;gt;’), $input);

A vector may use HTML characters, so you should also filter these. Add this rule:

$input= preg_replace(‘/(&#*w+)[x00-x20]+;/u’, ‘$1;’, $data);
$data = preg_replace(‘/(&#x*[0-9A-F]+);*/iu’, ‘$1;’, $input);

But these alone are not going to help you. There are many places where input does not need script tags. An attacker can inject a few event functions to execute scripts. And there are many ways by which an attacker can bypass this filter. So, we need to think about all possibilities and add a few other things to make the filter stronger. And not only JavaScript, you also need to escape from cascading style sheets and XML data to prevent XSS.

Open Source Libraries for Preventing XSS Attacks


This is a nice PHP library that can help developers add an extra layer of protection from cross-site scripting vulnerabilities. It automatically detects the encoding of the data that must be filtered. Using of the library is easy.

xss_clean.php filter

This is a b XSS filter that cleans various URF encodings and nested exploits. The developer built the function after analyzing the various sources. This coding of the function is available for free from github.

HTML Purifier

HTML Purifier is a standard HTML filtering library written in PHP. It removes all malicious span from the input and protects the website from XSS attack. It is also available as a plug-in for most PHP frameworks.


xssprotect is another nice library that gives developers a way to clean XSS attack vectors. This Library works by creating the HTML tag tree of the webpage. Then it parses the page and matches all tags. After that, it calls the filter interface to filter improper HTML attributes and XSS attacks. This library is written in Java.


HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious span (better known as XSS) with a thoroughly audited, secure yetpermissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C‘s specifications. Tired of using BBCode due to the current landscape of deficient or insecure HTML filters? Have aWYSIWYG editor but never been able to use it? Looking for high-quality, standards-compliant, open-source components for that application you’re building? HTML Purifier is for you!


Using the provided techniques and software available is essential in limiting the vulnerability to XSS exploits. I hope you have enjoyed reading, stay tuned for more content.