psalm/docs/running_psalm/issues/TaintedTextWithQuotes.md

# TaintedTextWithQuotes

Emitted when user-controlled input that can contain quotation marks can be passed into to an `echo` statement.

## Risk

This could lead to a potential Cross Site Scripting (XSS) vulnerability. Using a XSS vulnerability, an attacker could inject malicious JavaScript and execute any action JavaScript could do. Examples include:

- Stealing authentication material (e.g. cookies, JWT tokens)
- Exfiltrate sensitive information by reading the DOM
- Keylog entries on the website (e.g. fake login form)

Whether this is exploitable or not depends on a few conditions:

- Is an executable mimetype set? (e.g. `text/html`)
- Is the content served inline or as attachment? (`Content-Disposition`)
- Is the output properly sanitized? (e.g. stripping all HTML tags or having an allowlist of allowed characters)

## Example

```php
<?php
$param = strip_tags($_GET['param']);
?>

<script>
    console.log('<?=$param?>')
</script>
```

Passing `');alert('injection');//` as a `GET` param here would would cause the `alert` to trigger.

## Mitigations

- Sanitize user input by using functions such as `htmlentities` with the `ENT_QUOTES` flag or use an allowlist.
- Set all cookies to `HTTPOnly`.
- Consider using Content Security Policy (CSP), to limit the risk of XSS vulnerabilities.

## Further resources

- [OWASP Wiki for Cross Site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/)
- [Content-Security-Policy - Web Fundamentals](https://developers.google.com/web/fundamentals/security/csp)
Fix #5918 - add new issue to detect unquoted strings 2021-06-10 23:43:04 +02:00			`# TaintedTextWithQuotes`

			Emitted when user-controlled input that can contain quotation marks can be passed into to an `echo` statement.

			`## Risk`

			`This could lead to a potential Cross Site Scripting (XSS) vulnerability. Using a XSS vulnerability, an attacker could inject malicious JavaScript and execute any action JavaScript could do. Examples include:`

			`- Stealing authentication material (e.g. cookies, JWT tokens)`
			`- Exfiltrate sensitive information by reading the DOM`
			`- Keylog entries on the website (e.g. fake login form)`

[skip ci] Fix typos in docs/ 2021-08-05 22:39:01 +02:00			`Whether this is exploitable or not depends on a few conditions:`
Fix #5918 - add new issue to detect unquoted strings 2021-06-10 23:43:04 +02:00
			- Is an executable mimetype set? (e.g. `text/html`)
			- Is the content served inline or as attachment? (`Content-Disposition`)
			`- Is the output properly sanitized? (e.g. stripping all HTML tags or having an allowlist of allowed characters)`

			`## Example`

			```php
			`<?php`
Revert "Add better example" This reverts commit bfd2ab07de09c341f29e8d5770eebffc6e8a9a23. 2021-06-11 04:18:18 +02:00			`$param = strip_tags($_GET['param']);`
Fix #5918 - add new issue to detect unquoted strings 2021-06-10 23:43:04 +02:00			`?>`

			`<script>`
			`console.log('<?=$param?>')`
			`</script>`
			```

			Passing `');alert('injection');//` as a `GET` param here would would cause the `alert` to trigger.

			`## Mitigations`

Update TaintedTextWithQuotes.md 2021-06-10 23:55:07 +02:00			- Sanitize user input by using functions such as `htmlentities` with the `ENT_QUOTES` flag or use an allowlist.
Fix #5918 - add new issue to detect unquoted strings 2021-06-10 23:43:04 +02:00			- Set all cookies to `HTTPOnly`.
			`- Consider using Content Security Policy (CSP), to limit the risk of XSS vulnerabilities.`

			`## Further resources`

			`- [OWASP Wiki for Cross Site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/)`
			`- [Content-Security-Policy - Web Fundamentals](https://developers.google.com/web/fundamentals/security/csp)`