Emitted when user-controlled input that can contain quotation marks can be passed into to an
- Stealing authentication material (e.g. cookies, JWT tokens)
- Exfiltrate sensitive information by reading the DOM
- Keylog entries on the website (e.g. fake login form)
Whether this is exploitable or not depends on a few conditions:
- Is an executable mimetype set? (e.g.
- Is the content served inline or as attachment? (
- Is the output properly sanitized? (e.g. stripping all HTML tags or having an allowlist of allowed characters)
<?php $param = strip_tags($_GET['param']); ?> <script> console.log('<?=$param?>') </script>
');alert('injection');// as a
GET param here would would cause the
alert to trigger.
- Sanitize user input by using functions such as
ENT_QUOTESflag or use an allowlist.
- Set all cookies to
- Consider using Content Security Policy (CSP), to limit the risk of XSS vulnerabilities.