Does this sanitize have any XSS leaks in it

Question

I want to make sure my sanitize doesnt have any leaks in it. And also, im only outputting user-data within hardcoded p tags and h1 tags

eg : <p><?php echo htmlspecialchars($user_data); ?></p>

So is this a safe way to protect me against XSS-injects.

First, im using this function to sanetize the data before it gets inserted into my DB, and while in my DB im using bind_param

function sanitize($str) {
   return strtolower(strip_tags(trim(($str))));
}

sanitize($user_data); - > then gets inserted into db

Then when I grap the data from the DB I am using this to show it.

<p> <?php echo htmlspecialchars($user_data); ?> </p>

So, is this a safe way to block any XSS?

Thanks!

Answer 1

From a security standpoint, there is no need to use your sanitize function as long as you escape / process your data correctly for the medium you are outputting to:

• Using htmlspecialchars() is all that is needed for output to html;
• Use json_encode if you need to output to javascript;
• Use prepared statements with bound variables for your database;
• etc.