HighFile-scopePHP Plug & play

Escape Output to Prevent XSS

Always escape or sanitize user‐provided content before displaying it in HTML. Use functions like htmlspecialchars() to convert special characters into HTML entities.

Add to Mesrai Open workspace

Why this matters

Without escaping output, an attacker can inject malicious JavaScript (Cross‐Site Scripting) that will execute in other users’ browsers, compromising sensitive data and application integrity.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

<?php
echo "<p>Name: " . $_POST['nome'] . "</p>";
?>

Prefer

<?php
$nome = htmlspecialchars($_POST['nome'], ENT_QUOTES, 'UTF-8');
echo "<p>Name: $nome</p>";
?>

More snippets

Bad

<?php
echo "<p>Name: " . $_POST['nome'] . "</p>";
?>

Good

<?php
$nome = htmlspecialchars($_POST['nome'], ENT_QUOTES, 'UTF-8');
echo "<p>Name: $nome</p>";
?>

Related rules

From the same buckets as this rule.

Critical
Always sanitize user inputs
Check if user inputs are sanitized before being used in rendering or database queries. Unsanitized inputs can lead to injection vulnerabilities like XSS or SQL injection.
security-hardening
Critical
Always Verify Server Certificates in SSL/TLS Connections
Ensure that SSL/TLS certificate validation is always enabled to prevent Man-in-the-Middle (MitM) attacks.
security-hardening
Critical
Avoid modifying built-in prototypes
Detect modifications to built-in prototypes. Modifying built-in objects can lead to compatibility issues and unexpected behavior. Recommend creating helper functions instead.
maintainabilitysecurity-hardening

Why this matters

Bad vs. good

More snippets

Related rules

Always sanitize user inputs

Always Verify Server Certificates in SSL/TLS Connections

Avoid modifying built-in prototypes

Why this matters

Bad vs. good

More snippets

Related rules

Always sanitize user inputs

Always Verify Server Certificates in SSL/TLS Connections

Avoid modifying built-in prototypes