-1

Cross site Scripting vulnerabilities from url get parameter

it show confirm box, how to avoid this issue

example: www.example.com?business_sector="-confirm(`xss`)-"

Note: xss start and end with "`" (backtick)

how to fix this issue using php

user3101664
  • 203
  • 1
  • 3
  • 16
  • 1
    Not really sure what you're asking. The way to avoid such vulnerabilities is to sanitize your input (including from query strings), but do you have a specific question on the subject? – Ynhockey Nov 21 '17 at 09:40
  • -confirm(`xss`)- value assigned in business_sector parameter. so when ever page load with this paramter, ask confirm box, how to avoid this issue – user3101664 Nov 21 '17 at 09:44

1 Answers1

0

the issue occurred because of backtick symbol

example: www.example.com?business_sector="-confirm(`xss`)-"

so i was replaced the backtick with HTML entity encoder/decoder

$data = preg_replace("/[`]/","`",$data); // Replace backtick

issue fixed

user3101664
  • 203
  • 1
  • 3
  • 16