psalm/docs/running_psalm/issues/TaintedHtml.md

# TaintedHtml

Emitted when user-controlled input that can contain HTML can be passed into to an `echo` statement.

## Risk

This could lead to a potential Cross Site Scripting (XSS) vulnerability. Using a XSS vulnerability, an attacker could inject malicious JavaScript and execute any action JavaScript could do. Examples include:

- Stealing authentication material (e.g. cookies, JWT tokens)
- Exfiltrate sensitive information by reading the DOM
- Keylog entries on the website (e.g. fake login form)

Whether this is exploitable or not depends on a few conditions:

- Is an executable mimetype set? (e.g. `text/html`)
- Is the content served inline or as attachment? (`Content-Disposition`)
- Is the output properly sanitized? (e.g. stripping all HTML tags or having an allowlist of allowed characters)

## Example

```php
<?php

$name = $_GET["name"];

printName($name);

function printName(string $name) {
    echo $name;
}
```

## Mitigations

- Sanitize user-input by using functions such as `htmlentities` or use an allowlist.
- Set all cookies to `HTTPOnly`.
- Consider using Content Security Policy (CSP), to limit the risk of XSS vulnerabilities.

## Further resources

- [OWASP Wiki for Cross Site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/)
- [Content-Security-Policy - Web Fundamentals](https://developers.google.com/web/fundamentals/security/csp)
Break out TaintedInput issues into a lot of separate ones 2020-11-17 18:44:31 +01:00			`# TaintedHtml`

Fix #5918 - add new issue to detect unquoted strings 2021-06-10 23:43:04 +02:00			Emitted when user-controlled input that can contain HTML can be passed into to an `echo` statement.
Break out TaintedInput issues into a lot of separate ones 2020-11-17 18:44:31 +01:00
Add more verbose description for TaintedHtml (#4668) Ref https://github.com/vimeo/psalm/issues/4590 2020-11-23 01:14:48 +01:00			`## Risk`

			`This could lead to a potential Cross Site Scripting (XSS) vulnerability. Using a XSS vulnerability, an attacker could inject malicious JavaScript and execute any action JavaScript could do. Examples include:`

			`- Stealing authentication material (e.g. cookies, JWT tokens)`
			`- Exfiltrate sensitive information by reading the DOM`
			`- Keylog entries on the website (e.g. fake login form)`

[skip ci] Fix typos in docs/ 2021-08-05 22:39:01 +02:00			`Whether this is exploitable or not depends on a few conditions:`
Add more verbose description for TaintedHtml (#4668) Ref https://github.com/vimeo/psalm/issues/4590 2020-11-23 01:14:48 +01:00
			- Is an executable mimetype set? (e.g. `text/html`)
			- Is the content served inline or as attachment? (`Content-Disposition`)
			`- Is the output properly sanitized? (e.g. stripping all HTML tags or having an allowlist of allowed characters)`

			`## Example`

Break out TaintedInput issues into a lot of separate ones 2020-11-17 18:44:31 +01:00			```php
			`<?php`

			`$name = $_GET["name"];`

			`printName($name);`

			`function printName(string $name) {`
			`echo $name;`
			`}`
			```
Add more verbose description for TaintedHtml (#4668) Ref https://github.com/vimeo/psalm/issues/4590 2020-11-23 01:14:48 +01:00
			`## Mitigations`

			- Sanitize user-input by using functions such as `htmlentities` or use an allowlist.
			- Set all cookies to `HTTPOnly`.
			`- Consider using Content Security Policy (CSP), to limit the risk of XSS vulnerabilities.`

			`## Further resources`

			`- [OWASP Wiki for Cross Site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/)`
			`- [Content-Security-Policy - Web Fundamentals](https://developers.google.com/web/fundamentals/security/csp)`