Security: Sanitize 'project' GET parameter to prevent Reflected XSS

Summary

A security analysis has identified a Reflected Cross-Site Scripting (XSS) vulnerability. The application is not properly encoding user-provided data from a GET parameter before including it in the HTML response.

Vulnerability Details

Description: The project GET parameter is directly rendered into the page's HTML without being sanitized. This allows an attacker to craft a malicious URL that injects and executes arbitrary JavaScript in the context of a victim's browser session.
Impact: This could lead to session hijacking, data theft, or defacement of the application for the affected user.

Recommended Action

To remediate this vulnerability, apply context-aware output encoding to the user-supplied input. Specifically, use the htmlspecialchars() function to convert special characters to their corresponding HTML entities.

Example Implementation:

php echo htmlspecialchars($_GET['project'], ENT_QUOTES, 'UTF-8');

This will ensure the user input is treated as plain text and rendered safely by the browser.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information