test.php?color=333&background=</style>. This keeps it flexible
for the end user but still safe to use.
If you are dealing with content that cannot be easily whitelisted, then you’ll
need to filter out all the malicious code that someone could inject. This is
quite the rat-race because new browser quirks are being found all the time
that allow an attacker to execute code.
The most basic way to deal with this is to use the native PHP filters on
anything that comes in. But a quite sophisticated package called HTML
Purifier is also available.
Housekeeping
One very important part of security is keeping your server clean. If you have
old, insecure code lying around, it won’t matter whether your main website
is hardened and up-to-date with the best security measures. Your server is
as vulnerable as its weakest and least-maintained code.
Check what you have on your server from time to time, and delete or move
things that you are not interested in any more or couldn’t be bothered to
maintain. Instead of deleting code, you could move it to a repository such
as Google Code or GitHub and redirect the old folder to it.
It is also not a good idea to use the same server to test things and run a
live product. Use one server as a test platform for playing around and
another for grown-up stuff. It is especially important to have a different
domain for each to protect your cookies.