The rule php_lang_raw_output_using_user_input returns false positive.
Description & Reproduction
Rule: php_lang_raw_output_using_user_input (high)
Description: Unsanitized user input in 'echo' function (XSS)
Code extract:
<a href="?page=page&id=<?php echo absint($package_id); ?>" class="nav-tab <?php echo ($current_tab == 'thistab') ? 'nav-tab-active' : '' ?>">
Expected Behavior
In this case, the user-controlled inputs ($package_id and $current_tab) are not directly displayed in the page:
$package_id is converted to an integer and cannot lead to XSS$current_tab is compared to a constant string and another constant string is displayed, this cannot lead to a XSS
Actual Behavior
The rule is triggered.
Possible Fix
Take into account the absint() and ternary operator.
Your Environment
- Operating System and version:
- Output of 'bearer version':
bearer version: 1.51.0
sha: 3a762f776f3789c39fcaa4c7dc684bbc382add83
The rule
php_lang_raw_output_using_user_inputreturns false positive.Description & Reproduction
Rule:
php_lang_raw_output_using_user_input(high)Description: Unsanitized user input in 'echo' function (XSS)
Code extract:
<a href="?page=page&id=<?php echo absint($package_id); ?>" class="nav-tab <?php echo ($current_tab == 'thistab') ? 'nav-tab-active' : '' ?>">Expected Behavior
In this case, the user-controlled inputs (
$package_idand$current_tab) are not directly displayed in the page:$package_idis converted to an integer and cannot lead to XSS$current_tabis compared to a constant string and another constant string is displayed, this cannot lead to a XSSActual Behavior
The rule is triggered.
Possible Fix
Take into account the absint() and ternary operator.
Your Environment