We have a core PHP application. We got it tested from a security agency and they notified us that our site is having cross site scripting problem. They have reported same issue on most of the pages. The exact error they reported is
Cross-site scripting (reflected) /users/main/commoncontacts.php [name of an arbitrary supplied URL parameter]
They have also shared the GET request they sent:
/users/main/commoncontacts.php/v8hhi">alert(1)g2gx7
I have spent a lot of time while looking for a solution for this. Everyone talks about different methods for stopping the injection but mainly all talks about parameter value not parameter name. So when a non-existing parameter name is passed then how it shall be happened?
One of my assumption is that I shall use parse_url and parse_str functions to check and suspicious parameter and if find the same then I shall show an error message or send an error response.
Please help.