Remediation Steps

Follow the steps below to remediate this finding on Generic / Developer guidance.

1. Reflected XSS occurs when user-supplied input is echoed back in the HTTP response without proper encoding.

2. Remediation steps:

   • Validate all input against an allowlist of expected characters.
   • Encode output for the correct context before rendering:

3. - HTML body:

   htmlspecialchars($value, ENT_QUOTES | ENT_HTML5, 'UTF-8')

4. - HTML attribute: same as above

5. - JavaScript context:

   json_encode($value)

6. - URL parameter:

   urlencode($value)

   • Implement a strict Content-Security-Policy to mitigate impact of any bypass.
   • Use a Web Application Firewall (WAF) as a defence-in-depth measure.