How to fix “Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)” in PHP output string

问题

I have the following php code

<?php 
$Output = '<table><thead><tr>';
$Output .= '<th>Display</th></tr></thead><tbody>'; 
for ($k = 0; $k < count($ColumnsInSQL); $k++) { 
    $Output .= '<tr><td>'.$KS_ResultSet_level[$k][strtoupper(trim($ColumnsInSQL[$k]))].'</td></tr>';
}
$Output .= '</tbody></table>';
echo $Output;
?>

Recently I run the code in Veracode and I am getting issue with "echo $Output;".

Can anyone please help me to fix this?

回答1:

Use htmlentities() to encode special characters in the variable data.

$Output .= '<tr><td>'.htmlentities($KS_ResultSet_level[$k][strtoupper(trim($ColumnsInSQL[$k]))]).'</td></tr>';

来源：https://stackoverflow.com/questions/45075881/how-to-fix-improper-neutralization-of-script-related-html-tags-in-a-web-page-b

标签

php

xss

veracode

易学教程内所有资源均来自网络或用户发布的内容，如有违反法律规定的内容欢迎反馈！
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!