XSS Prevention in PHP: Common Mistakes and Fixes
Cross-site scripting in PHP usually happens because someone escaped the wrong thing, in the wrong place, at the wrong time. I’ve seen teams add htmlspecialchars() everywhere and still ship XSS. Not because the function is bad, but because XSS prevention is context-sensitive. A value that is safe in HTML text is not automatically safe in an attribute, a JavaScript string, or a URL. If you remember one rule, make it this one: ...