Cross Site Scripting in SonarQube

I think sonarlint doesn’t support many cases of corss site scripting detection like the below cases.

echo $_GET['name'];
echo $_POST['name'];

I’m using sonarQube to analyse my project and I already put the above lines in the code but sonar didn’t detect these issues which is strange for me.

It detects only eval($_GET['name']);

1 Like

At the moment we don’t have a rule that would catch such cross site scripting suspects. We’re actively working on this, so stay tuned for upcoming releases later this year. Note however that such rule might be limited to SonarQube/SonarCloud in the short-mid term, and not be available in SonarLint.

I’m doing this and working on it for MSc so could you give me an access to API or source code? and I will share results with you if you acknowledge my name.

Perhaps you’re looking for our Extension Guide.

Our open-source code are available on GitHub.

Hi Janos, I was just wondering if this made it’s way into sonarqube?

Hello Andrew,

We are working to provided XSS detection capabilities for Java, C# and PHP. This will be available in SonarCloud and with the SonarQube Developer Edition.

FYI: related specification ticket:


1 Like

Hello @Ahmed_92, @ndrw,

I’m resurrecting this old thread to confirm that the rule S5131 able to detect this PHP XSS issue is available on SonarQube 7.9.1 LTS and


1 Like