Get Started
- CodeAnt AI
- Control Center
- Pull Request Review
- IDE
- Compliance
- Anti-Patterns
- Code Governance
- Infrastructure Security Database
- Application Security Database
- Apex
- Bash
- C
- Clojure
- Cpp
- Csharp
- Dockerfile
- Elixir
- Fingerprints
- Generic
- Go
- Html
- Java
- Javascript
- Json
- Kotlin
- Ocaml
- Php
- Doctrine
- Lang
- Security
- Security
- Audit
- Injection
- Search-active-debug
- Search-cookie-secure-false-ini-config
- Taint-cookie-http-false
- Taint-cookie-secure-false
- Taint-unsafe-echo-tag
- Tainted-code-execution
- Tainted-command-injection
- Tainted-curl-injection
- Tainted-path-traversal
- Tainted-url-to-connection
- Tainted-url-to-guzzle-client
- Tainted-url-to-httpful
- Tainted-user-input-in-php-script
- Tainted-user-input-in-script
- Xml-external-entities-unsafe-entity-loader
- Xml-external-entities-unsafe-parser-flags
- Laravel
- Secrets
- Symfony
- Wordpress-plugins
- Problem-based-packs
- Python
- Ruby
- Rust
- Scala
- Solidity
- Swift
- Terraform
- Typescript
- Yaml
Taint unsafe echo tag
Found direct access to a PHP variable wihout HTML escaping inside an inline PHP statement setting data from $_REQUEST[...]
. When untrusted input can be used to tamper with a web page rendering, it can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. In PHP you can encode or sanitize user input with htmlspecialchars
or use automatic context-aware escaping with a template engine such as Latte.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection