Fixing XSS in Legacy PHP: Passing the Audit vs Solving the Problem

The Challenges of legacy systems Legacy systems are not vulnerable by accident — they become vulnerable as a result of continuous evolution. The decisions made over time, often under pressure to deliver, gradually shape them into what they are today. These systems are rarely insecure because of a single flawed implementation. The root cause is almost always systemic. XSS is not a bug, it is a symptom of missing design decisions . A common characteristic of legacy systems is inconsistency . There is no unified approach to validation or output escaping. Instead, similar problems are solved in slightly different ways across the codebase. Over the years, multiple developers have worked on the system, each bringing their own practices and constraints. Most of the time, the goal was to deliver something that works — even if it was only a short-term solution. At a system level, everyone is aware that these are compromises. This is exactly the kind of environment where XSS vulnerabilities thri