XSS Attacks Best Prevention

What is Cross-Site Scripting Prevention?

A Cross-Site Scripting attack involves executing malicious code on a victim’s browser. Typically, the challenges to preventing Cross-Site Scripting (XSS) vulnerabilities are complex since attacks can be orchestrated at any point in a vulnerable web application. This article explores the best practices for Cross-Site Scripting prevention and types of attacks in modern web applications and addresses commonly asked questions.

But before that, here is a quick introduction to how an XSS attack is orchestrated. 

In an XSS attack, the threat actor crafts a malicious script routed to the user, then executed by the application browser. This is usually perpetrated by the attacker using input fields to send crafted HTML/JavaScript code to a website which gets interpreted by the modern browsers of the victim.

The web application includes the executed script as part of its response as if it is legitimate. As soon as this happens, the attacker has full access to all resources available for the current session, including cookies, local storage, form values, etc. In addition, the malicious user may also have complete control over the victim’s machine.

Benefits of Preventing XSS Vulnerabilities

If not detected and fixed on time, cross-site scripting vulnerabilities can facilitate attacks detrimental to the organization. Through XSS attacks, threat actors can easily compromise how websites present content to users. Additionally, attackers can leverage XSS vulnerabilities to seize accounts, exploit user credentials, identity theft, impersonate users and escalate privileges.

Other malicious actions they can undertake include uploading malware, phishing attacks, exposure of sensitive data, and orchestration of full-blown attacks.  

How to Prevent XSS Attacks

Since its discovery in the late 1990s, XSS vulnerability has been considered a common attack vector widely exploited by attackers. Since there are several identified gaps in the sanitization of user input, security professionals often focus on fixing cross-site scripting vulnerabilities based on two factors:

1. Type of XSS attack carried out, and

2. Programming language used to develop the application.

While considering the factors, security professionals categorize XSS attacks as:

  • Reflected attack
  • Stored attack
  • DOM-based attack

Reflected XSS Attacks

The simplest type of XSS attack is where the application immediately processes and returns unsanitized user input in a search result, error message, or other HTTP responses. The application logic returns an unsafe input as part of the response without rendering it safely or storing data generated by users. In most reflected XSS attacks, users’ data never leaves the browser.

Stored XSS Attacks

A stored XSS attack is a persistent form of XSS that relies on the application’s persisting user input on the target server. Unsuspecting users then retrieve this data from the application without sanitization or validation. Modern applications that use HTML5 allow attackers to store the malicious payload permanently on the browser, typically using HTML databases. 


The Document Object Model is a platform-independent interface that defines a logical structure for accessing and manipulating documents in HTML and XML. Hackers orchestrate DOM-based XSS attacks by modifying the DOM environment on the browser so that client-side code is executed in an unsafe manner.

DOM-based vulnerabilities are advanced and challenging to fix since malicious client-side scripts do not go to the server. This makes it difficult for automatic vulnerability scanners and a Web Application Firewall to detect them since they don’t leave traces on the server logs.

Strategies for preventing XSS attacks depending on the platform/programming language used. In the sections to follow, we will explore how to prevent XSS attacks on the following application types:

  1. Prevent XSS in PHP
  2. Prevent XSS in Javascript
  3. Prevent XSS in JQuery

Preventing XSS in PHP

The web client executes remote scripts while rendering content if a PHP application accepts HTML or Javascript input. For instance, if the client-side includes a Javascript file:

document.write("I'm executing");

And the application directly processes a string that is parsed into it:

echo '<div>' . $_GET['input'] . '</div>';

If the GET parameter contains <script src=””></script> and is not sanitized, then the PHP’s script output will run the command of the darwin.js script:

<div><script src=""></script></div>

This script will display “I’m executing” on the web page. 

PHP includes an inbuilt function called htmlentities that can be used to encode HTML entities. Developers call this function to escape user-supplied HTML input.

For Javascript, developers use unicode-escape input. While PHP does not supply a function to do this, it can be done with a PHP code similar to:

function jsEscape($str) {
  $output = '';
  $str = str_split($str);
  for($i=0;$i<count($str);$i++) {
  $chrNum = ord($str[$i]);
  $chr = $str[$i];
  if($chrNum === 226) {
    if(isset($str[$i+1]) && ord($str[$i+1]) === 128) {
      if(isset($str[$i+2]) && ord($str[$i+2]) === 168) {
        $output .= '\u2028';
        $i += 2;
      if(isset($str[$i+2]) && ord($str[$i+2]) === 169) {
        $output .= '\u2029';
        $i += 2;
  switch($chr) {
    case "'":
    case '"':
    case "\n";
    case "\r";
    case "&";
    case "\\";
    case "<":
    case ">":
      $output .= sprintf("\\u%04x", $chrNum);
      $output .= $str[$i];
  return $output;

FAQs for preventing XSS Vulnerabilities in PHP

Are there any templates that simplify the prevention of cross-site scripting in PHP?

Some third-party libraries help teams quickly prevent an XSS application vulnerability in PHP. These include:

All these are highly efficient templates that are straightforward and can be used by even beginner-level PHP developers.

What are other ways to prevent XSS in PHP web applications?

  • Use htmlspecialchars to obtain HTML entities from special characters
  • Use the strip_tags function to strip PHP and HTML tags from a string
  • Limit CSS file sources with Style_src

Preventing XSS in Javascript

Javascript is popular with modern web apps because it uses the Document Object Model to create dynamic HTML pages. Unfortunately, data in the dynamic content may consist of malicious links sent to the webserver from untrusted sources without sufficient validation. 

Since Javascript does not include native functions to encode HTML, developers must create their HTML encoders. For example, to convert a string to HTML, developers should develop a Javascript function similar to:

function htmlEncode(str){
  return String(str).replace(/[^\w. ]/gi, function(c){
    return '&#'+c.charCodeAt(0)+';';

The function is used in a script as follows:

<script>document.body.innerHTML = htmlEncode(untrustedValue)</script>

For inputs inside Javascript strings, developers should include an encoder with Unicode escapes. A sample encoder would look similar to:

function jsEscape(str){
  return String(str).replace(/[^\w. ]/gi, function(c){
    return '\\u'+('0000'+c.charCodeAt(0).toString(16)).slice(-4);

This is then parsed inside a script as shown:

JavaScript Vulnerability in a graphic

Preventing XSS in JQuery

Most XSS attacks on JQuery applications are performed when user input is parsed to the JQuery selector. Developers should use in-built functionalities of the JQuery editor to enable the sanitization of user inputs before executing them in the JQuery content area. When writing code, developers should use attribute dripping and value encoding capabilities to validate scripts executed by the application. They should also use the serialization.custom and deserialization.custom editor options, as shown:

<script src=""></script>
    function sanitizeHtml(html) {
        var temp = $("<div></div>").html(window.DOMPurify.sanitize(html));
        return temp.html() || "\ufeff";
        tools: [
        deserialization: {
            custom: function(html) {
                return sanitizeHtml(html);
        serialization: {
            custom: function(html) {
                return sanitizeHtml(html);
  var editor = $("#editor").getKendoEditor();
  editor.value('<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgic2VjdGVzdCIpPC9zY3JpcHQ+"></object>');

Risk levels of XSS vulnerabilities

XSS vulnerabilities are the second most prevalent security flaw in modern applications and fall into the category of injections. They are, therefore, in the third position on the OWASP Top 10.  XSS attack vectors have an exploitability factor of 3, meaning that even freely available, automated scanners can be used to detect and exploit them.

The vulnerabilities also have a detectability score of 3 since they can be readily discovered, especially in mature technologies. Besides this, XSS vulnerabilities have a technical impact of 2 since reflected XSS attacks are moderate and stored XSS attacks are severe. These attacks’ business impact varies with the sensitive data and systems exposed.

Other XSS prevention measures

Some methods to prevent XSS vulnerabilities on a vulnerable application include:

Organization-wide awareness

The most significant threat vector for XSS attacks is the user input interface. Therefore, every user of an organization’s applications needs to understand the impact and severity of XSS attacks and avoid the pitfalls that lead to successful hacks. It is also important to disclose special characters and other methods that attackers can use to orchestrate their acts for company-wide preparedness.

User input validation

It is critical to ensure that user-supplied input is clean and valid. This is achieved using a safe transfer protocol such as HTTP or HTTPS. Developers should also set up filters to ensure that expected numeric inputs are integers. Finally, Whitelisting also ensures that the application only accepts valid characters.


All user data should be encoded before being committed onto a page. This involves converting non-whitelisted HTML values into entities. For example, in Javascript, alphanumeric values are escaped using Unicode. In most applications, multiple layers of entity encoding are used to safely embed user input inside other functions. 

Sanitize HTML input

Developers should limit users from posting HTML markups whenever possible. When user input includes some HTML markup, developers should consist of functions for filtering and encoding. Another method involves using libraries that accept markdown content which is then converted to HTML on execution. 

Content Security Policies (CSPs)

CSPs are considered the last resort of the XSS prevention tactic as they allow software professionals to restrict what an attacker can do once they gain control of the system. A CSP is deployed by including an HTTP response header named Content-Security-Policy and supplying a value containing the policy. The policy helps developers control various factors, such as inline script execution, object sources, and the loading of external scripts.

XSS prevention guide

Prevention Guide

XSS Prevention Guide

Cross-site scripting (XSS) is one of the most commonly known injection attacks. Learn how to detect and prevent it. Download this guide for free.


Frequently Asked Questions

How do attackers use XSS vulnerabilities?

Attackers insert malicious scripts through the web page using a hyperlink or a web form. Once the script is executed, attackers can hijack the session, steal sensitive data, or redirect users to malicious sites.

How frequently do XSS attacks occur?

XSS vulnerabilities are the second most prevalent issue for modern applications and are found in about two-thirds of websites. However, while attackers quickly discover these, security teams can also find them quickly, reducing attacks’ frequency.

What is the difference between Cross-site scripting and Cross-site request forgery?

With XSS, the attacker uses an endpoint (browser) to send malicious content to be executed by the application. In CSRF, attackers rely on social engineering and other tactics to trick users into performing unintended actions. 

How our scanner can help you prevent and detect XSS attacks vulnerabilities

Crashtest Security Suite helps you detect threats such as XSS vulnerabilities by implementing a security vulnerability scanner that provides accurate reports and remediation advice.

The continuous, automated vulnerability scanning process allows developers to save time and focus on work while it benchmarks the web app against OWASP top 10 to enhance security posture. In addition, the suite integrates with most existing development stacks and allows you to scan various web applications, Javascript functions, and APIs in minutes.

Try Crashtest Security today to discover how it integrates into your development stack for efficient, automated vulnerability scanning.

How To Best Prevent XSS Attacks Explained in a Video

Get a quick security report for your website for free now

We are analyzing
Scanning target
Scan status: In progress
Scan target:
Date: 30/11/2023
Crashtest Security Suite will be checking for:
Information disclosure Known vulnerabilities SSL misconfiguration Open ports
Complete your scan request
Please fill in your details receive the
quick security audit by email.
Security specialist is analyzing your scan report.
То verify your identity please provide your phone/mobile:
Thank you.
We have received your request.
As soon as your security audit is ready, we will notify you.