-
Notifications
You must be signed in to change notification settings - Fork 602
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PHP - Basic XSS not matching #1781
Comments
Try providing a complete statement by closing the pattern with a semicolon:
|
@Sjord already tried that, does not work :/ |
This works: https://semgrep.dev/s/Nx3A/ |
Or this: https://semgrep.dev/s/kWye/ In semgrep you usually can't write partial construct, and echo in PHP is at the statement level, not expression level, so it has to finish with a ';'. Not sure why there was an antislash before the $_GET in your example, but yet it does not work. |
@erwanlr a better example is https://semgrep.dev/s/KdzY - I also have a couple other rules here https://gist.github.com/rezen/9908fb3a0cbe1a38ffd15cbc8f43b6f0 @aryx where do community rulesets live? We could contribute some php rules - is https://github.com/returntocorp/semgrep-rules the place? |
Yes! We would love you to contribute rules in semgrep-rules. |
Thank you @rezen for the examples :) There is still a bug (false positive), taking https://semgrep.dev/s/KdzY rules, |
Describe the bug
I've been trying to write a pattern to catch a basic XSS, but it's always reported as
Pattern could not be parsed as a PHP semgrep pattern
To Reproduce
https://semgrep.dev/s/1Ld5/
Expected behavior
I was expecting to have at least a match for the pattern
echo $X
The text was updated successfully, but these errors were encountered: