My item is soft rejected several times due to xss vulnerabilities


I’m having issues finding what causes XSS vulnerabilities in my phpscript. it got rejected 2 times due to XSS vulnerabilities. and reviewer sent me just a small screen shot which contain an alert with xss. i have used Codeigniter framework and after 1st time it got soft rejected i made all the changes using codeigniter security functions to avoid these. After the full modification i resubmitted but it got rejected again due to the same reason. But i can’t find any vulnerabilities like that. can some one help me on this? is there any tool that i can use to scan my script? Because last time there were xss issues and i fixed them all, But now i almost spent more than 2 days and i couldn’t find find any issue.

Thanks in advance.



To keep yourself safe from XSS, you must sanitize your input. Your application code should never output data received as input directly to the browser without checking it for malicious code.



Please, public demo link

1 Like

Can you please have a look?

Here is your solution…

Step-1. create a Middleware inside app/Http/Middleware and name it “XSSProtection”.

Write the functions inside XSSProtection Middleware :


use Closure;

class XSSProtection
public function handle($request, Closure $next)
$input = array_filter($request->all());

    array_walk_recursive($input, function(&$input) {
        $input = strip_tags(str_replace(array("&lt;", "&gt;"), '', $input), '<span><p><a><b><i><u><strong><br><hr><table><tr><th><td><ul><ol><li><h1><h2><h3><h4><h5><h6><del><ins><sup><sub><pre><address><img><figure><embed><iframe><video><style>');


    return $next($request);


Step-2. Add this Middleware file inside app/Http/Kernel.php

protected $routeMiddleware = [

‘XSS’ => \App\Http\Middleware\XSSProtection::class,

Step-3. Now use this Middleware into all of your routes.

Route::middleware([‘XSS’])->group(function () {

// Home Route
Route::get('/', 'HomeController@index')->name('home');


This solution will work with any type of form fields and text-editors as well. So you will no more required to use any type of sanitizer or filter package for XSS protection.