Do not write responses with unsanitized data

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: php-security/laravel-response-write

Language: PHP

Severity: Error

Category: Security

CWE: 79

Description

Injecting unsanitized data into responses can lead to several security vulnerabilities, including Cross-Site Scripting (XSS) attacks. XSS attacks occur when a malicious script is injected into a trusted website, which can compromise the data integrity or steal sensitive information.

To comply with this rule, always sanitize or validate data before including it in a response. PHP provides several built-in functions such as filter_var(), htmlspecialchars(), and strip_tags() that can be used for sanitizing data.

Non-Compliant Code Examples

<?php
class UserController extends Controller
{
  public function test0($data)
  {
    return response('Data is '.$data, 200)->header('Content-Type', 'text/html');
  }

  public function test1($data)
  {
    return response("Data is {$data}")
      ->withHeaders([
        'Content-Type' => "text/html",
      ]);
  }
}

Route::get('/endpoint/{data}', function ($data) {
  return response("Data is {$data}")
    ->cookie($cookie)
    ->withHeaders([
      'Content-Type' => 'text/html',
    ]);
});

Compliant Code Examples

<?php
class UserController extends Controller
{
  public function test0($data)
  {
    $content = sanitize($data);
    return response('Data is '. $content, 200)->header('Content-Type', 'text/html');
  }

  public function test1($data)
  {
    $content = validate($data);
    return response("Data is {$content}")
      ->withHeaders([
        'Content-Type' => "text/html",
      ]);
  }
}

Route::get('/endpoint/{data}', function ($data) {
  $var = sanitize($data);
  return response("Data is {$var}")
    ->cookie($cookie)
    ->withHeaders([
      'Content-Type' => 'text/html',
    ]);
});