Cross site scripting persistant

[tahriabd]

Hi,

$subject and $comments in insert.php are vulnerables to xss attack: a remote attacker could inject à malicious javascript to corrupt user for example: <script>alert(1)</script>

to correct this vulnerability you need to escape html characteres by

htmlentities($comments, ENT_QUOTES)

and htmlentites($subject, ENT_QUOTES)

https://www.acunetix.com/websitesecurity/cross-site-scripting/

[alexander-zierhut]

Great observation @tahriabd
It would even be better to fix this using parameter binding. It is vital that code like yours is not published with those kinds of problems. Beginners will simply copy and paste it. https://www.php.net/manual/en/mysqli-stmt.bind-param.php

[tahriabd]

I agree, The best way is to use prepare statement like pdo or framework symfony but here, it s just a quick fix for who want to test code. The quick fix proposed in commit on issue #5 is safe too

[alexander-zierhut]

Very true. But I guess this fill never be fixed / merged / updated on the website