You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Variables, constants and function calls are not included in the report if concatenated with something which has already been included. Is there any way to override this behaviour other than adding the safe constant to getXSSMitigationFunctions?
echoSAFE_CONSTANT . vulnerableFunction();
// Warning: Possible XSS detected with SAFE_CONSTANT on echo
When reviewing the report, it can give the impression that an issue is safe when it is not.
Here are some examples from a quick test:
/** * Warning: Possible XSS detected with CONSTANT on echo * Warning: Possible XSS detected with $var on echo */echoCONSTANT; echo$var;
/** * Warning: Possible XSS detected with CONSTANT on echo */echoCONSTANT . $var;
/** * Error: Easy XSS detected because of direct user input with $_GET on echo * Error: Easy XSS detected because of direct user input with $_GET on echo */echo$_GET['one'] . $_GET['two'];
/** * Warning: Possible XSS detected with $varOne on echo */echo$varOne . $varTwo;
/** * Warning: Possible XSS detected with SAFE_CONSTANT on echo */echoSAFE_CONSTANT . vulnerableFunction();
Many thanks
The text was updated successfully, but these errors were encountered:
Variables, constants and function calls are not included in the report if concatenated with something which has already been included. Is there any way to override this behaviour other than adding the safe constant to
getXSSMitigationFunctions?When reviewing the report, it can give the impression that an issue is safe when it is not.
Here are some examples from a quick test:
Many thanks
The text was updated successfully, but these errors were encountered: