How to Check Text Input for Cross-Site Scripting (XSS) Attacks in PHP

2 min readMar 21


Cross-site Scripting (XSS) attacks target our website visitors, compromising their personal information by exploiting vulnerabilities in our website’s security.

Thankfully, you can sanitize XSS attempts easily with the help of our XSS Detection & Normalization API. As the name suggests, the underlying service identifies whether a text string contains an XSS attempt and normalizes the result if it does.

Below, I’ll demonstrate how you can quickly implement this API with ready-to-run PHP code examples (you can find other code examples here if need be). To use this API for free, first grab a free-tier API key by registering a free account on our website, and then follow simple steps below to get up & running.

To start, run the following command to install the SDK:

composer require cloudmersive/cloudmersive_security_api_client

After that, structure your request with the below code, then configure your API key and text string inputs:

require_once(__DIR__ . '/vendor/autoload.php');

// Configure API key authorization: Apikey
$config = Swagger\Client\Configuration::getDefaultConfiguration()->setApiKey('Apikey', 'YOUR_API_KEY');

$apiInstance = new Swagger\Client\Api\ContentThreatDetectionApi(

new GuzzleHttp\Client(),
$value = "value_example"; // string | User-facing text input.

try {
$result = $apiInstance->contentThreatDetectionProtectXss($value);
} catch (Exception $e) {
echo 'Exception when calling ContentThreatDetectionApi->contentThreatDetectionProtectXss: ', $e->getMessage(), PHP_EOL;

It’s just that easy! Now you have a free, low-code XSS prevention solution to protect your website.

Please note that free accounts will allow a limit of 800 API calls per month with zero additional commitments; once you reach your limit, your total will reset the following month (you can upgrade to various enterprise accounts if further bandwidth is required).




There’s an API for that. Cloudmersive is a leader in Highly Scalable Cloud APIs.