PHPprogramming~30 mins

How XSS attacks exploit unescaped output in PHP - Try It Yourself

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

How XSS Attacks Exploit Unescaped Output

📖 Scenario: You are building a simple PHP web page that shows user comments. This page does not escape user input before showing it. This can cause a security problem called Cross-Site Scripting (XSS).XSS happens when a user enters code that runs in other users' browsers, which can steal information or cause harm.

🎯 Goal: Learn how unescaped output can let harmful code run on a web page by creating a PHP script that shows user comments without escaping, then see how an attacker can add a script tag.

📋 What You'll Learn

Create an array called comments with user comments including a normal comment and a comment with a script tag

Create a variable called output to hold the combined comments as a string

Use a foreach loop with variables comment to add each comment to output without escaping

Print the output variable to show the comments on the page

💡 Why This Matters

🌍 Real World

Web developers must always escape user input before showing it on pages to protect users from XSS attacks.

💼 Career

Understanding XSS and safe output handling is essential for secure web development jobs and protecting websites from hackers.

Progress0 / 4 steps

Create the comments array

Create an array called comments with these exact entries: 'Hello, this is a safe comment.' and ''

PHP

# Create the comments array with two entries
# Your code here

Need a hint?

Use $comments = [ ... ]; to create the array with the exact two strings.

Create the output variable

Create a variable called output and set it to an empty string ""

PHP

alert("XSS Attack!");'
];

# Create the output variable as an empty string
# Your code here

Need a hint?

Use $output = ""; to start with an empty string.

Add comments to output without escaping

Use a foreach loop with variable comment to add each comment from $comments to $output by concatenating $comment and a line break "<br>" without escaping

PHP

alert("XSS Attack!");'
];

$output = "";

# Use foreach to add comments to output without escaping
# Your code here

Need a hint?

Use foreach ($comments as $comment) { $output .= $comment . "<br>"; } to add each comment with a line break.

Print the output

Write echo $output; to display the combined comments on the page

PHP

alert("XSS Attack!");'
];

$output = "";

foreach ($comments as $comment) {
    $output .= $comment . "";
}

# Print the output
# Your code here

Need a hint?

Use echo $output; to show the comments on the page.