My item is soft rejected several times due to xss vulnerabilities

ganeendra · May 8, 2020, 1:44pm

Hi,

I’m having issues finding what causes XSS vulnerabilities in my phpscript. it got rejected 2 times due to XSS vulnerabilities. and reviewer sent me just a small screen shot which contain an alert with xss. i have used Codeigniter framework and after 1st time it got soft rejected i made all the changes using codeigniter security functions to avoid these. After the full modification i resubmitted but it got rejected again due to the same reason. But i can’t find any vulnerabilities like that. can some one help me on this? is there any tool that i can use to scan my script? Because last time there were xss issues and i fixed them all, But now i almost spent more than 2 days and i couldn’t find find any issue.

Thanks in advance.

Regards
Ganeendra

mgscoder · May 8, 2020, 4:31pm

Hi

To keep yourself safe from XSS, you must sanitize your input. Your application code should never output data received as input directly to the browser without checking it for malicious code.

Thanks

Codewayfarer · May 8, 2020, 4:45pm

Hi!

Please, public demo link

ganeendra · May 10, 2020, 12:59pm

Can you please have a look?

Hi-TechParks · March 16, 2021, 7:50am

Here is your solution…

Step-1. create a Middleware inside app/Http/Middleware and name it “XSSProtection”.

Write the functions inside XSSProtection Middleware :

<?php

use Closure;

class XSSProtection
{
---------------------------
public function handle($request, Closure $next)
{
$input = array_filter($request->all());

    array_walk_recursive($input, function(&$input) {
        $input = strip_tags(str_replace(array("&lt;", "&gt;"), '', $input), '<span><p><a><b><i><u><strong><br><hr><table><tr><th><td><ul><ol><li><h1><h2><h3><h4><h5><h6><del><ins><sup><sub><pre><address><img><figure><embed><iframe><video><style>');
    });

    $request->merge($input);

    return $next($request);
}

}

Step-2. Add this Middleware file inside app/Http/Kernel.php

protected $routeMiddleware = [
…
‘XSS’ => \App\Http\Middleware\XSSProtection::class,
];

Step-3. Now use this Middleware into all of your routes.

Route::middleware([‘XSS’])->group(function () {

// Home Route
Route::get('/', 'HomeController@index')->name('home');

});

This solution will work with any type of form fields and text-editors as well. So you will no more required to use any type of sanitizer or filter package for XSS protection.