In it’s most simple form an XSS attack is passing pieces of HTML along with form input to alter page behavior in a malicios way. Consider someone registering an account on your site and using this as his username:

1
Attack<script>alert('hacked');</script>
 

Whenever that persons username would be displayed on the site it would be possible for it to trigger an alert, a more cunning attacker can get all sorts of things done this way. Usually you have to filter user input to prevent this, PHPixie does that by default for you now, by executing strip_tags() on all input data you access via post() and get() methods. You can still access the raw input if you wish though.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
class Home_Controller extends Controller{
    //.....
    public function action_save(){

        //If username is entered to be
        //'Pixie<script></script>'
        //This will just return 'Pixie'
        $safe=$this->post('username');

        //Setting the third parameter to false
        //returns the raw input
        $raw=$this->post('username',null,false);
    }
}
 

If your website actually allows users to enter HTML, for example if you are making a blog, you probably want to get the raw input and then filter it yourself stripping away only the malicious pieces, there are a lot of XSS protection libraries that allow you to do so.