I have the following php code:
<?php $redirect_lp = $_GET['lp']; ?>
<script>
setTimeout(function(){
window.location.href = "<?php echo $redirect_lp; ?>";
}, 10)
</script>
how do I sanitize $redirect_lp
?
I know this code is bad because of this attack:
http://example.com/index.php?lp="-alert("XSS "%2bdocument.domain)-"
to protect from this particular attack, I santizie for "
:
$redirect_lp = str_replace("\"", "", $redirect_lp);
is this enough?