Home/ Questions/Q 8816507
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T04:38:16+00:00

I have this php code and my CMS security auto-test says it’s a XSS

  • 0

I have this php code and my CMS security auto-test says it’s a XSS attack. Why and How can I fix this?

$url = "news.php";
if (isset($_GET['id']))
  $url .= "?id=".$_GET["id"];
echo "<a href='{$url}'>News</a>";
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It’s XSS (cross site scripting) as someone could call your thing like this:

    ?id='></a><script type='text/javascript'>alert('xss');</script><a href='

    Essentially turning your code into

    <a href='news.php?id='></a><script type='text/javascript'>alert('xss');</script><a href=''>News</a>

    Now whenever someone would visit this site, it’d load and run the javascript alert('xss'); which might as well be a redirector or a cookie stealer.

    As many others have mentioned, you can fix this by using filter_var or intval (if it’s a number). If you want to be more advanced, you could also use regex to match your string.

    Imagine you accept a-z A-Z and 0-9. This would work:

    if (preg_match("/^[0-9a-zA-Z]+$", $_GET["id"])) {
    //whatever
}

    filter_input even has a manual entry doing exactly what you want (sanitizing your input into a link):

    <?php
    $search_html = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS);
    $search_url = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_ENCODED);
    echo "You have searched for $search_html.\n";
    echo "<a href='?search=$search_url'>Search again.</a>";
?>
    • 0