Unsanitized user input detected in echo.

Description

Applications should not include unsanitized user input in responses. This can allow cross-site scripting (XSS) attacks.

Remediations

❌ Avoid including user input directly in the response:

echo "<h1>" . $_GET["title"] . "</h1>"

✅ Sanitize user input when including it in a response:

echo "<h1>" . filter_var($_GET["title"], FILTER_SANITIZE_STRING). "</h1>"

Resources

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_raw_output_using_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_raw_output_using_user_input

Ready to take the next step? Learn more about Bearer Cloud.