Cross site scripting issue by adding new parameter in the request

Question

Below is my url with request

http://test.com?leavingfrom=BOM&goingto=DEL&travel=DOM&_token=gclligMoBzOHW4wwruDShklxbOh3SjsKTWRvWFK0&Default=O&leavingfrom1=Mumbai+%28BOM%29&goingto1=New+Delhi+%28DEL%29&depart=16-02-2017&arrive=&class=E&adults=1&child=0&infants=0
Cross site scripting is happening for this URL as below. New parameter is added in the URL as '-alert-'=1 and passed to nextpage

http://test.com?leavingfrom=BOM&goingto=DEL&travel=DOM&_token=gclligMoBzOHW4wwruDShklxbOh3SjsKTWRvWFK0&Default=O&leavingfrom1=Mumbai+%28BOM%29&goingto1=New+Delhi+%28DEL%29&depart=16-02-2017&arrive=&class=E&adults=1&child=0&infants=0&'-alert-'=1

How can i stop the cross site scripting if new parameter is added

Check [here](http://stackoverflow.com/questions/27698977/laravel-and-xss-protection-how-where)... — AddWeb Solution Pvt Ltd, Feb 01 '17 at 13:43

score 0 · Answer 1 · answered Feb 01 '17 at 13:46

You can use this class as middleware

class XSSProtection
{
    /**
     * The following method loops through all request input and strips out all tags from
     * the request. This to ensure that users are unable to set ANY HTML within the form
     * submissions, but also cleans up input.
     *
     * @param Request $request
     * @param callable $next
     * @return mixed
     */
    public function handle(Request $request, \Closure $next)
    {
        if (!in_array(strtolower($request->method()), ['put', 'post'])) {
            return $next($request);
        }

        $input = $request->all();

        array_walk_recursive($input, function(&$input) {
            $input = strip_tags($input);
        });

        $request->merge($input);

        return $next($request);
    }
}

REF : https://gist.github.com/kirkbushell/5d40fdd7f7b364716742

Cross site scripting issue by adding new parameter in the request

1 Answers1