There is not (and cannot be) one tool you can deploy and then never have to think about security again. Deploying ‘anti-XSS’ hacks like CakePHP’s Sanitize::clean will get in users’ way by blocking valid input, whilst still not necessarily making the app secure. Input filtering hacks are at best an obfuscation measure, not a fix for security holes.

To have a secure web application, you must write a secure web application, from the ground up. That means, primarily, attention to detail when you are putting strings from one context into another. In particular:

• any time you write a string to HTML text content or attribute value, HTML-escape it (htmlspecialchars()) to avoid HTML-injection leading to XSS. This isn’t just a matter of user input that might contain attacks, it’s the correct way to put plain text into HTML.

  Where you are using HTML helper methods, they should take care of HTML-escaping of those elements by default (unless you turn off escape); it is very unfortunate that the CakePHP tutorial includes the bad practice of echoing unescaped strings into HTML for text outside of HTML helpers.

• any time you create SQL queries with string values, SQL-escape it (with an appropriate function for your database such as mysql_real_escape_string).

  If you are using CakePHP’s ORM and not writing your own SQL you don’t have to worry about this.

• avoid using user input (eg file upload names) to name files on the filesystem (generate clean unique IDs instead) or as any part of a system() command.

• include the Security component to add a form submission token scheme that will prevent XSRF on forms generated by CakePHP.