How to get a parameter from an URL safely

I have this snippet to get a parameter from the url:

return isset($_GET[$field]) ? $_GET[$field] : '';

But this seems to allow for XSS injection.
I’m loading a page from ModX in an iFrame (within an application) using an URL like this: “”.

I’m being advised to sanitize the result from $_GET using a library (don’t do it yourself).
Then I found this ModX extra GetUrlParam but it doesn’t seem to return anything when I call it it like this:

<body class="[[!getParam? &field=`device-type`]]" data-test="[[getUrlParam? &field=`device-type`]]">

My own simple getParam works fine and getUrlParam does not. (cached or uncached doesn’t help)

What’s wrong? Any other suggestion on how to prevent XSS injection in ModX is welcome as well.

There is no property &field. Use &name instead.
Also, always call this snippet uncached!

What values do you expect in the GET parameter “device-type”?
If it’s a number, casting the parameter to an integer avoids problems.
If the parameter value should be from a known set of values, make sure that the value is from this set.
If the parameter should have a certain structure, use a regex pattern to check it.

1 Like

Of course, how could I have overlooked that. Thanks! [Resolved]