CVE-2025-12450: Php Html Comment Xss
Unsanitized data is appended into an HTML comment. An attacker can break out of the HTML comment using '-->' and inject arbitrary HTML or JavaScript, leading to Cross-Site Scripting (XSS). Ensure all user-controlled data is properly escaped using `htmlspecialchars` or an equivalent sanitization function before appending it to comments.
Provally CuratedPublic repositoryMediumMedium confidenceVerifiedApache-2.0
PHPβ
PHPβgreprules fetch cve-2025-12450-php-html-comment-xss --engine opengrepDescription
Unsanitized data is appended into an HTML comment. An attacker can break out of the HTML comment using '-->' and inject arbitrary HTML or JavaScript, leading to Cross-Site Scripting (XSS). Ensure all user-controlled data is properly escaped using `htmlspecialchars` or an equivalent sanitization function before appending it to comments.
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0