Usage of manual HTML sanitization (XSS)

• Rule ID: php_lang_manual_html_sanitization
• Languages: php
• Source: manual_html_sanitization.yml

Description

Manual HTML sanitization can introduce Cross-Site Scripting (XSS) vulnerabilities. This security risk arises when developers attempt to manually escape HTML entities, which is a process prone to errors and oversights, potentially leaving the application vulnerable to XSS attacks.

Remediations

• Do not manually escape HTML entities in an attempt to sanitize input or output. This method is unreliable and increases the risk of XSS vulnerabilities.

  $html = str_replace("&", "&", $text); // unsafe

• Do use built-in HTML sanitizers to handle escaping of HTML content securely. These tools are designed to mitigate the risk of XSS by properly encoding user input or any data displayed in an HTML context.

  $html = htmlspecialchars($text);

References

• OWASP XSS explained

Associated CWE

• CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_manual_html_sanitization

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_manual_html_sanitization