Which is better method to prevent XSS?

Question

Which is better method to prevent XSS attacks? Here is the code I am trying to do.

Is this line of code enough to prevent XSS attacks? or Do I have to parse each element with 'strip_tags'. Thank you for any suggestions.

  $xss = array_map('strip_tags', $_POST);   

OR

In this method I have to change a lot of form elements with 'strip_tags'.

$f_name = strip_tags($_POST["f-name"]);
$a_id = isset($_POST['a_id']) ? (int)strip_tags($secure_POST['a_id']) : 0;

$qry = $pdo_conn->prepare('INSERT INTO TABLE1(id, f_name) VALUES (?, ?)');
$qry->execute(array($a_id, $f_name));

Answer 1

XSS means Cross Site Scripting and is injecting a website with malicious html elements. This can be prevented by setting a proper charset (like utf8) and htmlentities when displaying it.

You want to keep original data in your database, just in case. If you would ever change anti-XSS tactics you can do that all at once, because the data is not already prepared.

I think you mean anti sql-injection. Prepared statements do that themselfs (if defined proper charset like utf8), no need to worry about that. You can do some checks beforehand though, like checking if $_POST['int'] really only has int values (as example).

Answer 2

The best practice to prevent from XSS is to encode and sanitize the data during output because XSS occurs while data being printed, then, refer to OWASP - XSS (Cross Site Scripting) Prevention Cheat Sheet for more information.

Using prepared statement (parametrized) prevents you from SQL injection attack but not XSS, therefore, you have to consider both attack if you allow user to input data because user data should always be considered untrusted.