-5

We have a core PHP application. We got it tested from a security agency and they notified us that our site is having cross site scripting problem. They have reported same issue on most of the pages. The exact error they reported is

Cross-site scripting (reflected) /users/main/commoncontacts.php [name of an arbitrary supplied URL parameter]

They have also shared the GET request they sent:

/users/main/commoncontacts.php/v8hhi">alert(1)g2gx7

I have spent a lot of time while looking for a solution for this. Everyone talks about different methods for stopping the injection but mainly all talks about parameter value not parameter name. So when a non-existing parameter name is passed then how it shall be happened?

One of my assumption is that I shall use parse_url and parse_str functions to check and suspicious parameter and if find the same then I shall show an error message or send an error response.

Please help.

P Varga
  • 19,174
  • 12
  • 70
  • 108
Puneet Sindhwani
  • 1
  • 2
  • 3
    Please share the code where you use the parameter name – P Varga Mar 08 '19 at 22:16
  • `htmlspecialchars` would probably resolve the issue. Don't pass user input direct to the DOM. – user3783243 Mar 08 '19 at 22:18
  • I would recommend `htmlentities` over `htmlspecialchars` - https://stackoverflow.com/questions/3623236/htmlspecialchars-vs-htmlentities-when-concerned-with-xss – ArtisticPhoenix Mar 08 '19 at 22:31
  • We are not passing user input directly to DOM. Testing agency just provided us the URL they used to show us the issue. My question is about parameter name which we even don't use anywhere in the code. – Puneet Sindhwani Mar 11 '19 at 06:32

1 Answers1

-1

that's why we need a validation, also trim, htmlentities and htmlspecialchars needed

Ani
  • 42
  • 6