PHP 中 XSS 的 Snyk 误报
Snyk False Positives for XSS in PHP
我们最近开始使用 Snyk 执行代码分析,但是遇到了绊脚石,即尽管有适当的代码来清理和处理这个问题,但第一次扫描报告了许多 (>700) 个 XSS 漏洞。
看起来 Snyk 无法考虑我们正在使用包含在单独文件中的不同方法执行消毒,例如:
$mySuperAwesomeVar = Sanitise($_GET["NaughtyUser"]);
查看检测的数据流,我们可以看到它的来源是上述行,但它没有进入 Sanitise 方法。
有什么想法吗?
Snyk 已告知这是产品的限制,并建议应改用 Twig 等模板语言。
Unfortunately in some cases it's not possible to identify the appropriate data flow when it is separated over multiple files. This is probably the case here. Our support for PHP (and all languages we support) is ever-evolving and we are working on improving this. [...]
This might not be a feasible solution, but using a PHP template engine such as Twig could help (reduce FP rate, ensure consistent escaping and layout etc), rather than using echo in such a way to render dynamic content.
我们最近开始使用 Snyk 执行代码分析,但是遇到了绊脚石,即尽管有适当的代码来清理和处理这个问题,但第一次扫描报告了许多 (>700) 个 XSS 漏洞。
看起来 Snyk 无法考虑我们正在使用包含在单独文件中的不同方法执行消毒,例如:
$mySuperAwesomeVar = Sanitise($_GET["NaughtyUser"]);
查看检测的数据流,我们可以看到它的来源是上述行,但它没有进入 Sanitise 方法。
有什么想法吗?
Snyk 已告知这是产品的限制,并建议应改用 Twig 等模板语言。
Unfortunately in some cases it's not possible to identify the appropriate data flow when it is separated over multiple files. This is probably the case here. Our support for PHP (and all languages we support) is ever-evolving and we are working on improving this. [...]
This might not be a feasible solution, but using a PHP template engine such as Twig could help (reduce FP rate, ensure consistent escaping and layout etc), rather than using echo in such a way to render dynamic content.