How to secure your code from XSS

It's easy to secure if you found XSS bugs. Look at this code:

if(isset($_POST['form'])){echo "<html><body>" .$_POST['form']. "</body></html>";}

Say the variable $_POST['from'] was coming from a input box then you have a XSS attack.
It is a very easy way to secure that.

$charset='UTF-8'; $data = htmlentities ($_POST['form'], ENT_NOQUOTES, $charset);
if(isset($data)){echo "<html><body>" .$data. "</body></html>";}

That will take all possible code and make it not executable by turning it into stuff like
< ect.

You won't notice a diffrence when using htmlentries();.

Also there's another common function: striptags().

Another way to show you how to secure integer variables.

$this = $_GET['id'];
echo "You are viewing " . $this . "blog";

If we include ?id=<script>alert("XSS")</script>
in the URL it is going to execute our code. An easy way to secure this is using (int):

$this = (int)$_GET['id'];
echo "You are viewing " . $this . "blog";