Rule Definition
This could lead to a potential Cross Site Scripting (XSS) vulnerability. Using a XSS vulnerability, an attacker could inject malicious JavaScript and execute any action JavaScript could do. Examples include: - Stealing authentication material (e.g. cookies, JWT tokens) - Exfiltrate sensitive information by reading the DOM - Keylog entries on the website (e.g. fake login form) Whether this is exploitable or not depends on a few conditions: - Is an executable mimetype set? (e.g. text/html) - Is the content served inline or as attachment? (Content-Disposition) - Is the output properly sanitized? (e.g. stripping all HTML tags or having an allowlist of allowed characters)

Remediation
Sanitize user-input by using functions such as htmlentities with the ENT_QUOTES flag or use an allowlist. Set all cookies to HTTPOnly. Consider using Content Security Policy (CSP), to limit the risk of XSS vulnerabilities.

Violation Code Sample

<?php

function printName(PDOStatement $stmt) {
    $stmt->execute();
    $row = $stmt->fetch();
    $name = $row["name"];
    echo $name;                 // VIOLATION
}

Fixed Code Sample

<?php

function printName(PDOStatement $stmt) {
    $stmt->execute();
    $row = $stmt->fetch();
    $name = $row["name"];
    $escaped_name = htmlentities($name, ENT_QUOTES);  // ESCAPE STRING
    echo $escaped_name;                               // FIXED
}

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') https://cwe.mitre.org/data/definitions/79.html OWASP Wiki for Cross Site Scripting (XSS) https://owasp.org/www-community/attacks/xss/ Content-Security-Policy - Web Fundamentals https://web.dev/csp/