I have a piece of code giving risk of XSS.
<select size="1" name='department'>
<option value='<?php echo $department?>' selected><?php echo $department?></option>
<option value="Dept1">Dept1</option>
<option value="Dept2">Dept2</option>
When I tried to replace the line with
<option value='<?php echo htmlspecialchars($department, ENT_QUOTES, 'UTF-8')?>' selected><?php echo htmlspecialchars($department, ENT_QUOTES, 'UTF-8')?></option>
It is still identifying it as Cross Site scripting threat. Is there anything I could be missing
Snippet code performs output encoding and prevents it from Cross-Site Scripting. It will convert the payload such as:
'"><test>
to
'"><test>
It might be possible that there could be other reason in context with some other page or full code and that could be the reason why tool reported it.