Unsanitized user input detected in echo.

• Rule ID: php_lang_raw_output_using_user_input
• Languages: php
• Source: raw_output_using_user_input.yml

Description

Applications should not include unsanitized user input in responses. This can allow cross-site scripting (XSS) attacks.

Remediations

❌ Avoid including user input directly in the response:

echo "<h1>" . $_GET["title"] . "</h1>"

✅ Sanitize user input when including it in a response:

echo "<h1>" . filter_var($_GET["title"], FILTER_SANITIZE_STRING). "</h1>"

Resources

• OWASP Cross-Site Scripting (XSS) Cheatsheet

Associated CWE

• CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_raw_output_using_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_raw_output_using_user_input