Insecure Processing of Data
This category covers the following issues:
Cross-Site Scripting (XSS)
Why is this important?
Cross-Site Scripting (XSS)) attacks are a type of injection, in which malicious scripts are injected into otherwise trusted websites. XSS attacks allow attackers to target legitimate users of a web application by sending malicious script code to them.
Check out this video for a high-level explanation:
Fixing Cross-Site Scripting
Option A: Perform output encoding
- Go through the issues that GuardRails identified in the PR.
Look for patterns like this:
echo "Hello, " . $_GET['name'];
and replace it with:
$name = htmlspecialchars($_GET['name']), ENT_QUOTES; echo "Hello, " . $name; // Note that htmlspecialchars($a, ENT_QUOTES), doesn't protect against // user input in certain attributes. Such as <a href='$input'>x</a>. // For these usecases, leverage http://php.net/rawurlencode
- Ship it 🚢 and relax 🌴