Snyk False Positives for XSS in PHP

Question

We've recently started using Snyk to perform code analysis, however have hit the stumbling block that the first scan is reporting many (>700) XSS vulnerabilities despite having code in place to sanitise and handle this.

It looks like Snyk is unable to take into account that we are performing sanitisation in a different method that is included from a separate file, for example:

$mySuperAwesomeVar = Sanitise($_GET["NaughtyUser"]);

Looking at the Data Flow for the detection, we can see that the source of it is the afformentioned line, but it doesn't go into that Sanitise method.

Any ideas?

Answer 1

Snyk have advised that this is a limitation of the product and have suggested that a templating language such as Twig should be used instead.

Unfortunately in some cases it's not possible to identify the appropriate data flow when it is separated over multiple files. This is probably the case here. Our support for PHP (and all languages we support) is ever-evolving and we are working on improving this. [...]

This might not be a feasible solution, but using a PHP template engine such as Twig could help (reduce FP rate, ensure consistent escaping and layout etc), rather than using echo in such a way to render dynamic content.