Recall & Review
beginner
What is an XSS attack?
XSS (Cross-Site Scripting) is a security attack where an attacker injects malicious scripts into web pages viewed by other users.
Click to reveal answer
beginner
Why does unescaped output lead to XSS vulnerabilities?
Unescaped output allows attackers to insert harmful code that the browser runs as part of the page, because the output is not treated as plain text.
Click to reveal answer
beginner
What does 'escaping output' mean in PHP?
Escaping output means converting special characters like <, >, & into safe codes so browsers show them as text, not code.
Click to reveal answer
intermediate
Show a simple PHP example where unescaped output causes XSS.
If you do: <br><?php echo $_GET['name']; ?><br>and someone visits ?name=<script>alert('XSS')</script>, the script runs.
Click to reveal answer
beginner
How to fix XSS vulnerabilities in PHP output?
Use functions like htmlspecialchars() to escape output before showing it on the page.
Click to reveal answer
What does XSS stand for?
✗ Incorrect
XSS means Cross-Site Scripting, a type of security attack.
Why is unescaped output dangerous in PHP?
✗ Incorrect
Unescaped output lets attackers inject scripts that run in users' browsers.
Which PHP function helps prevent XSS by escaping output?
✗ Incorrect
htmlspecialchars() converts special characters to safe HTML entities.
What happens if you output user input directly without escaping?
✗ Incorrect
Direct output without escaping can let attackers run harmful scripts.
Which character should be escaped to prevent XSS?
✗ Incorrect
The < character starts HTML tags and must be escaped to prevent code injection.
Explain how unescaped output in PHP can lead to an XSS attack.
Think about what happens when user input is shown directly on a page.
You got /4 concepts.
Describe how to prevent XSS attacks when displaying user input in PHP.
Focus on the function that changes < and > to safe codes.
You got /4 concepts.