synk issues for Cross-site Scripting (XSS)

[MdMumtajTR]

Hi Team,
While running a vulnerability scan using the Snyk tool, I encountered a Cross-site Scripting (XSS) issue related to unsensitized input in the [url] and the issue appears at lines no 1912.(https://github.com/dapphp/radius/blob/master/src/Radius.php) file.

The description of the issue Unsensitized input from an HTTP header flow into the echo statement, where it is used to render an HTML page returned to the user.
This may result in a Cross-Site Scripting attack (XSS).

Currently, I am using dapphp/radius version 3.0

Can anyone provide suggestions to fix the XSS issue?

[MdMumtajTR]

Hi team,
I am looking forward to your response regarding the issue I explained in previous comment. Could you please assist me with this?

[dapphp]

It looks like the tool is picking up debug output that is printed if setDebug(true) is used on the client. There should be no reason that anyone would use setDebug with a RADIUS client tied to a web application. Even if it were, the RADIUS server would need to send attribute data that was unescaped HTML.

To satisfy the tool, I can add a patch so that debug output is escaped if the SAPI is something other than the CLI, but this is no cause for alarm and you can safely disregard the XSS alert the tool is calling out.