In PHP web application (cakephp 2.x), I am facing a JavaScript injection in the url
https://example.com/products/items/MTC5"onmouseover%3Dalert(9)%3B"
Because of above url, on the hover on page an alerts appear.
I tried to remove (",') Quotes from the url, but still that alerts appears
$_SERVER['REQUEST_URI']=str_replace('"', '', urldecode($_SERVER['REQUEST_URI']));
Do I have to redirect the url once Quotes is found in the URL? any suggestion