Re: Reflected XSS All Clients

Three problems with the code you showed: 1. It doesn't compile. 2. /^[^0-9]$/ only tests whether the string consists of a single character that is not a digit. I assume you meant /[^0-9]/. 3. When an input contains an invalid value, all you do is print an additional line of output, you probably meant die instead of print.

In addition, to prevent XSS attacks, you should use a module to escape any strings you're inserting into the output.

Comment on Re: Reflected XSS All Clients Select or Download Code

Replies are listed 'Best First'.
Re^2: Reflected XSS All Clients by Rishi2Monk (Novice) on Dec 27, 2022 at 10:23 UTC
Thanks for the reply. I corrected the compilation and `/[^0-9]/`. My intension is to clear the cleckmarx and since I do not know the content of the input, I go with print instead of die. But even after I do this sanitization, Checkmarx is not satified and throw the same error	[reply] [d/l]
Re^3: Reflected XSS All Clients by Corion (Patriarch) on Dec 27, 2022 at 10:27 UTC
You are still not escaping the user specified values for your output target format. Until you do that, you will not solve the problem.	[reply]
A reply falls below the community's threshold of quality. You may see it by logging in.