Do not write responses with unsanitized data

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: php-security/laravel-response-write

Language: PHP

Severity: Error

Category: Security

CWE: 79

Description

Injecting unsanitized data into responses can lead to several security vulnerabilities, including Cross-Site Scripting (XSS) attacks. XSS attacks occur when a malicious script is injected into a trusted website, which can compromise the data integrity or steal sensitive information.

To comply with this rule, always sanitize or validate data before including it in a response. PHP provides several built-in functions such as filter_var(), htmlspecialchars(), and strip_tags() that can be used for sanitizing data.

Non-Compliant Code Examples

<?php
class UserController extends Controller
{
  public function test0($data)
  {
    return response('Data is '.$data, 200)->header('Content-Type', 'text/html');
  }

  public function test1($data)
  {
    return response("Data is {$data}")
      ->withHeaders([
        'Content-Type' => "text/html",
      ]);
  }
}

Route::get('/endpoint/{data}', function ($data) {
  return response("Data is {$data}")
    ->cookie($cookie)
    ->withHeaders([
      'Content-Type' => 'text/html',
    ]);
});

Compliant Code Examples

<?php
class UserController extends Controller
{
  public function test0($data)
  {
    $content = sanitize($data);
    return response('Data is '. $content, 200)->header('Content-Type', 'text/html');
  }

  public function test1($data)
  {
    $content = validate($data);
    return response("Data is {$content}")
      ->withHeaders([
        'Content-Type' => "text/html",
      ]);
  }
}

Route::get('/endpoint/{data}', function ($data) {
  $var = sanitize($data);
  return response("Data is {$var}")
    ->cookie($cookie)
    ->withHeaders([
      'Content-Type' => 'text/html',
    ]);
});
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis