Sanitize User Input for XSS in PHP

Thu, Sep 1, 2011 One-minute read

The best way to sanitize any input from your user (in PHP) is to use the HTML Purifier library. HTML Purifier will remove any XSS from your code, produce valid HTML, and generally make you sleep just a bit safer at night. It doesn’t completely sanitize user input, and you still need to be careful with it before using it anywhere (such as an SQL statement), but it will remove all XSS attacks against your website.

Here’s a simple example of how to use it:

$purifier = new HTMLPurifier();
$purifier->purify($user_string);