Skip to main content

Insecure Processing of Data

This category covers the following issues:

Cross-Site Scripting (XSS)

Why is this important?

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise trusted websites. XSS attacks allow attackers to target legitimate users of a web application by sending malicious script code to them.

Check out this video for a high-level explanation:

Cross-Site Scripting

Fixing Cross-Site Scripting

Option A: Perform output encoding

  1. Go through the issues that GuardRails identified in the PR

  2. Look for patterns like this:

    echo "Hello, " . $_GET['name'];

    and replace it with:

    $name = htmlspecialchars($_GET['name']), ENT_QUOTES;
    echo "Hello, " . $name;
    // Note that htmlspecialchars($a, ENT_QUOTES), doesn't protect against
    // user input in certain attributes. Such as <a href='$input'>x</a>.
    // For these usecases, leverage http://php.net/rawurlencode
  3. Test it

  4. Ship it 🚢 and relax 🌴

More information: