Q
Detector Library
PHP detectors (34/34)
Server Side Request ForgerySQL InjectionActivated Debug FeatureSensitive information leakLog InjectionOrigins-verified cross-origin communicationsCross-site scriptingDangerous Function UsagePath TraversalAvoiding Exceptions in PHPOS command injectionIncorrect ComparisonLdap Bind Without PasswordSendfile InjectionAssert UseLoose file permissionsImproper AuthenticationInsecure connectionWeak Random Number GenerationOpen RedirectAllow Url Fopen Or IncludeInsecure cryptographyObject Input Stream Insecure DeserializationCookie Without Http Only FlagCode InjectionZip bomb attackUnsafe ReflectionSecure Signal HandlingDeserialization of untrusted dataStatic Initialization Vector (IV)Coral Csrf RuleInsecure cookieImproper access controlInsecure Object Attribute Modification
Cross-site scripting High
User-controllable input must be sanitized before it's included in output used to dynamically generate a web page. Unsanitized user input can introduce cross-side scripting (XSS) vulnerabilities that can lead to inadvertedly running malicious code in a trusted context.
Detector ID
php/cross-site-scripting@v1.0
Category
Common Weakness Enumeration (CWE) 
Noncompliant example
1function nonCompliant() {
2 $name = $_REQUEST['name'];
3 // Noncompliant: '$name' statement is non-compliant as it can leave the application vulnerable to cross-site scripting attacks.
4 echo "Hello :".$name;
5}
Compliant example
1function compliant() {
2 $name = $_REQUEST['name'];
3 // Compliant: 'htmlentities' provides a compliant way to display user input safely.
4 print("Hello : " . htmlentities($name));
5}