2020-11-17 12:44:31 -05:00
# TaintedHtml
2021-06-10 17:43:04 -04:00
Emitted when user-controlled input that can contain HTML can be passed into to an `echo` statement.
2020-11-17 12:44:31 -05:00
2020-11-23 01:14:48 +01:00
## Risk
This could lead to a potential Cross Site Scripting (XSS) vulnerability. Using a XSS vulnerability, an attacker could inject malicious JavaScript and execute any action JavaScript could do. Examples include:
- Stealing authentication material (e.g. cookies, JWT tokens)
- Exfiltrate sensitive information by reading the DOM
- Keylog entries on the website (e.g. fake login form)
2021-08-05 16:39:01 -04:00
Whether this is exploitable or not depends on a few conditions:
2020-11-23 01:14:48 +01:00
- Is an executable mimetype set? (e.g. `text/html` )
- Is the content served inline or as attachment? (`Content-Disposition` )
- Is the output properly sanitized? (e.g. stripping all HTML tags or having an allowlist of allowed characters)
## Example
2020-11-17 12:44:31 -05:00
```php
< ?php
$name = $_GET["name"];
printName($name);
function printName(string $name) {
echo $name;
}
```
2020-11-23 01:14:48 +01:00
## Mitigations
- Sanitize user-input by using functions such as `htmlentities` or use an allowlist.
- Set all cookies to `HTTPOnly` .
- Consider using Content Security Policy (CSP), to limit the risk of XSS vulnerabilities.
2023-05-12 13:02:13 -05:00
- If user input itself is HTML, see [Sanitizing HTML User Input ](../../security_analysis/avoiding_false_positives.md#sanitizing-html-user-input )
2020-11-23 01:14:48 +01:00
## Further resources
- [OWASP Wiki for Cross Site Scripting (XSS) ](https://owasp.org/www-community/attacks/xss/ )
- [Content-Security-Policy - Web Fundamentals ](https://developers.google.com/web/fundamentals/security/csp )