mirror of
https://github.com/danog/psalm.git
synced 2024-12-02 17:52:45 +01:00
1.6 KiB
1.6 KiB
TaintedTextWithQuotes
Emitted when user-controlled input that can contain quotation marks can be passed into to an echo
statement.
Risk
This could lead to a potential Cross Site Scripting (XSS) vulnerability. Using a XSS vulnerability, an attacker could inject malicious JavaScript and execute any action JavaScript could do. Examples include:
- Stealing authentication material (e.g. cookies, JWT tokens)
- Exfiltrate sensitive information by reading the DOM
- Keylog entries on the website (e.g. fake login form)
Whether this is exploitable or not depends on a few conditions:
- Is an executable mimetype set? (e.g.
text/html
) - Is the content served inline or as attachment? (
Content-Disposition
) - Is the output properly sanitized? (e.g. stripping all HTML tags or having an allowlist of allowed characters)
Example
<?php
$param = strip_tags($_GET['param']);
?>
<script>
console.log('<?=$param?>')
</script>
Passing ');alert('injection');//
as a GET
param here would cause the alert
to trigger.
Mitigations
- Sanitize user input by using functions such as
htmlentities
with theENT_QUOTES
flag or use an allowlist. - Set all cookies to
HTTPOnly
. - Consider using Content Security Policy (CSP), to limit the risk of XSS vulnerabilities.
- If user input itself is HTML, see Sanitizing HTML User Input