How can I clean a URL from XSS attacks?

HI EVERYONE,

I could not find any solution on previous topics here so I thought I could open a discussion here. The project I am working on is in Yii1.1, recently got tested, and it turned out that you can efficiently perform an XSS injection in the URL and the web app lets the script perform.
The only step to making the script work is to encode the javascript piece like this:

https://localhost/new/<script>alert(1)⁢/script>.

Output:

How can I clean this Url from not generating javascript output?

You cannot clean URL from anything users choose to inject on their browser. However you can “clean” all user variables coming from URL (and you should for everything else)
Read OWASP on XSS attack prevention:

See Yii guide on that:

1 Like