Security Hub

Bring your software development workflows to security


PHP Reflected XSS

Signals & Triggers

On request
If malicious user input not escaped in the response


  • block incoming http request Block incoming http request
  • Send a slack notification Send a Slack notification
  • Send an email notification Send an email notification
  • POST to webhook
  • Log request stack trace


A Cross-site Scripting (XSS) allows an attacker to inject a script into the content of a website or app. When a user visits the infected page the script will execute in the victim’s browser. This allows attackers to steal private information like cookies, account information etc.

There are two types of XSS: reflected XSS and stored XSS. A reflected XSS (or also called a non-persistent XSS attack) happens when a malicious script is reflected off to another website through the victim’s browser. It’s often injected through the query string. The XSS vulnerability can then just be exploited by making a user click on a link. A stored XSS (or persistent XSS) takes place when the malicious script is injected directly into the vulnerable web application.

This security plugin protects applications and users from reflected XSS.

Advanced details

When the application starts, Sqreen library hooks the unsafe methods in order to catch data about to be rendered in the HTML page.

On each user inputs, we will check if it contains JavaScript. If it’s the case and if it’s inside the PHP output, then we will block the request.

Language support

  • PHP

Data collected by Sqreen

No data collected

On attack
  • Malicious user input
  • Stack trace
  • HTTP request context

Build amazing products. Keep them safe.

Dive into Sqreen with our 14-day trial, and experience seamlessly security. Free Trial Request demo