Cross-site scripting (XSS) has become the most common web application security vulnerability, and with the rising popularity of Ajax technologies, XSS attacks are likely to become more advanced and to occur more frequently
The term cross-site scripting derives from an old exploit and is no longer very descriptive or accurate for most modern attacks, and this has caused some confusion
Simply put, your code is vulnerable whenever you output data not properly escaped to the output’s context. For example:
echo $_POST[‘username’];
In order to prevent XSS, you simply need to properly escape your output for the output context:
$html = array(
'username' => htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8'),
);
echo $html['username'];