GrepRules
Sign inPublish rule
Explore/cve-2025-12746-php-tainted-html-attribute-xss

CVE-2025-12746: Php Tainted Html Attribute Xss

User input from superglobals was found flowing into an output statement ('echo' or 'print') with either no escaping or insufficient escaping. Notably, 'htmlspecialchars()' without the 'ENT_QUOTES' flag does not escape single quotes, allowing XSS breakouts when embedded inside single-quoted HTML attributes. Use 'esc_attr()', 'esc_html()', or 'htmlspecialchars

Provally CuratedPublic repositoryMediumMedium confidenceVerifiedApache-2.0PHPβ
greprules fetch cve-2025-12746-php-tainted-html-attribute-xss --engine opengrep

Description

User input from superglobals was found flowing into an output statement ('echo' or 'print') with either no escaping or insufficient escaping. Notably, 'htmlspecialchars()' without the 'ENT_QUOTES' flag does not escape single quotes, allowing XSS breakouts when embedded inside single-quoted HTML attributes. Use 'esc_attr()', 'esc_html()', or 'htmlspecialchars

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Quality signals
145 downloads0 direct145 via packs
· 0 stars · Quality score 77How quality works
Included packs
2 packs