TaintedHtml
User-controlled input reaches an HTML output sink without sanitization, creating a cross-site scripting (XSS) risk.
Example
Section titled “Example”<?phpecho $_GET['name']; // raw user input written to HTMLHow to fix
Section titled “How to fix”Escape output with htmlspecialchars() before writing to HTML.
<?phpecho htmlspecialchars($_GET['name'], ENT_QUOTES, 'UTF-8');