I am looking for a good php security api that I can use to help prevent XSS. I have found the OWASP ESAPI. The problems with the OWASP is it doesn't have good documentation and I think it may be way over the top. It is about 20mb of files. I couldn't even really try it because the installation instructions are out of date and couldn't get it to work.
Does anyone have any suggestions of a good PHP security API?
"Hippies.They're everywhere. They wanna save the earth, but all they do is smoke pot and smell bad."-Cartman
There is no "tool" or API that can be substituted for experience. I encourage you to take a proactive approach and attack someone else's site (WITH THEIR PERMISSION FIRST!). Once you learn the attack vectors for XSS, go back and audit your own code. htmlentities() is a very simple countermeasure in most cases. Don't just use 1 layer of security. If someone gets your database credentials, they can easily launch stored XSS attacks if you don't validate that data.
That being said, there are some tools. "XSS ME" is an addon for firefox, It was included in the backtrack version 3 OS, so I doubt it is junk. I have also heard great things about OWASP in academic circles, but not in the past 2 years. If you get it to work, please post back with some results.
Proper sanitation and filtering of ANY POSSIBLE user input stops the majority of attacks that most sites run up against. Possible user input means anything that a user can possibly alter (obvious ones being GET, POST, and COOKIE values). XSS can be partially prevented using white list filtering (say what the data can be, like an int only) or black list filtering (if your users aren't entering code you can filter <>'"`$%...etc out), and then simply using htmlentities() takes the remaining data and prevents it from being interpreted as code.
But i agree with eval here, no API can truly protect you from these security issues. You should design your application from the ground up to resist such attacks with different layers of security.