How to Fix a XSS Vulnerability in PHP Source Codes
Information
For fix the problem of cross site injection we have to use one of the 3 functions php.
These functions clean up the HTML tags, so is not possible inject into the code.

The function more used is htmlspecialchars() that transmutes all the characters "<" and ">" into "<" and ">".
Another option is htmlentities(), which replaces all the characters in the corresponding entities.

PHP Code:
<?php
// This page shows an example 
// of the differences in output between 2 functions

$input '<script>alert(1);</script>';

echo 
htmlspecialchars($input) . '<br />';
echo 
htmlentities($input);

?>


An example of htmlentities()

PHP Code:
<?php
$str 
"A 'quote' is <b>bold</b>";

echo 
htmlentities($str);
echo 
htmlentities($strENT_QUOTES);
?>


The first show --> A 'quote' is &lt;b&gt;bold&lt;/b&gt;
The second --> A &#039;quote&#039; is &lt;b&gt;bold&lt;/b&gt;

An example of htmlspecialchars()

PHP Code:
<?php
$new 
htmlspecialchars("<a href='test'>Test</a>"ENT_QUOTES);
echo 
$new;
?>

This show --> &lt;a href='test'&gt;Test&lt;/a&gt;

The funztion strip_tags(), instead, deletes all HTML elements, except certain elements that need to specify permitted such as <i>, <b> or <p>.

An example of strip_tags()

PHP Code:
<?php
$text 
'<p>Test paragraph.</p><!-- Comment --> Other text';
echo 
strip_tags($text);

echo 
"\n";
// allow <p>
echo strip_tags($text'<p>');
?>


Now that we know at least that there are these functions, we will to apply into the code when we find a xss in our web application.

I have recently found a xss on my website in Video section of GoogleBig which is a plugin of Mybb forum, I have placed a piece of code to make the idea of how I had to apply the function to fix the search bug.

First of all I have found the php page in question: search.php

Now let's look for the portion of code that makes available research, query and output the result of the query:

PHP Code:
function search($query$page)

{

    global 
$db$bgcolor2$bgcolor4$sitename$io_db$module_url$list_page_items$hm_index;

    
$option trim($option);

    
$query trim($query);

    
$query FixQuotes(nl2br(filter_text($query)));

    
$db->escape_string($query);

    
$db->escape_string($option);

        
alpha_search($query);
    ... 


In this case the variable that passes the values is $query then we apply the function htmlentities():

PHP Code:
    $query FixQuotes(nl2br(filter_text(htmlentities($query)))); 

If you have problems you can post here, or consult the manuals on these 3 php functions that we saw:

http://it.php.net/htmlentities
http://it2.php.net/htmlspecialchars
http://it2.php.net/strip_tags

The following guide can be used freely on any site without changes including copyright.