https://wiki.owasp.org/index.php?action=history&feed=atom&title=CRV2_RevCodeReflectedAntiPatternPHPCRV2 RevCodeReflectedAntiPatternPHP - Revision history2026-04-30T09:13:05ZRevision history for this page on the wikiMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=CRV2_RevCodeReflectedAntiPatternPHP&diff=161088&oldid=prevAbbas Naderi: reflected XSS attacks2013-10-18T19:33:21Z<p>reflected XSS attacks</p>
<p><b>New page</b></p><div>To mitigate reflected XSS attacks fully, a PHP code should never output variables using echo, print and other output generating functions. If the output needs to be complex (for example a HTML list of variables) the HTML part should be outside PHP tags, and the rest should be inside and using safe output functions (available in OWASP PHP Security Project Core Library). For example:<br />
<br />
<nowiki><br />
foreach ($list as $item)<br />
{<br />
?><br />
<li><?php phpsec\exho($item);?></li><br />
<?php<br />
}<br />
</nowiki><br />
<br />
Or<br />
<br />
<nowiki><br />
foreach ($list as $item)<br />
{<br />
phpsec\printf("<li>%s</li>\n",$item);<br />
}<br />
</nowiki></div>Abbas Naderi