Insecure Processing of Data

This category covers the following issues:

Cross-Site Scripting (XSS)

Why is this important?

Cross-Site Scripting (XSS)) attacks are a type of injection, in which malicious scripts are injected into otherwise trusted websites. XSS attacks allow attackers to target legitimate users of a web application by sending malicious script code to them.

Check out this video for a high-level explanation:

Cross-Site Scripting

Fixing Cross-Site Scripting

Option A: Perform output encoding

  1. Go through the issues that GuardRails identified in the PR.
  2. Look for patterns like this:

     echo "Hello, " . $_GET['name'];
    

    and replace it with:

     $name = htmlspecialchars($_GET['name']), ENT_QUOTES;
     echo "Hello, " . $name;
    
     // Note that htmlspecialchars($a, ENT_QUOTES), doesn't protect against
     // user input in certain attributes. Such as <a href='$input'>x</a>.
     // For these usecases, leverage http://php.net/rawurlencode
    
  3. Test it

  4. Ship it 🚢 and relax 🌴

More information: