Insecure Processing of Data

This category covers the following issues:

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS)

Why is this important?

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise trusted websites. XSS attacks allow attackers to target legitimate users of a web application by sending malicious script code to them.

Check out this video for a high-level explanation:

Fixing Cross-Site Scripting

Option A: Perform output encoding

Go through the issues that GuardRails identified in the PR.
Look for patterns like this:

  echo "Hello, " . $_GET['name'];

and replace it with:

  $name = htmlspecialchars($_GET['name']), ENT_QUOTES;
  echo "Hello, " . $name;

  // Note that htmlspecialchars($a, ENT_QUOTES), doesn't protect against
  // user input in certain attributes. Such as <a href='$input'>x</a>.
  // For these usecases, leverage http://php.net/rawurlencode

Test it
Ship it 🚢 and relax 🌴

More information:

Docs for htmlspecialchars()
Docs for rawurlencode()
OWASP Cheat Sheet - XSS

GuardRails

General

Apex

C/C++

Dotnet

Elixir

Go

Java

Javascript/TypeScript

Kubernetes

PHP

Python

Ruby

Rust

Solidity

Terraform