Where we have no input sanitization and were able to find an XSS. Curious, as why SonarQube have not caught anything? Is this behaviour considered “safe”?
Can you tell me what edition of SonarQube you are using, e.g., Community Edition, Developer Edition, …? It is important to know that our security engine that detects this type of injection vulnerabilities is not included in the Community Edition. It is included in the Developer Edition and above (see here).
The vulnerabilities are detected correctly for me when I scan the code (after adding opening and closing tags around the PHP code at the beginning).
Okay, thanks for the information. Do you see any errors in the scanner output when running the analyzer? Also, could you share maybe the whole file with me? We can do that in a private message if that is better for you. The problem might be caused by something else in the file, since just scanning this code snippet works fine for me.