mirror of
https://github.com/danog/psalm.git
synced 2024-12-11 08:49:52 +01:00
26 lines
511 B
Markdown
26 lines
511 B
Markdown
|
# Avoiding false-negatives
|
||
|
|
||
|
## Unescaping statements
|
||
|
|
||
|
Post-processing previously escaped/encoded statements can cause insecure scenarios.
|
||
|
`@psalm-taint-unescape <taint-type>` allows to declare those components insecure explicitly.
|
||
|
|
||
|
```php
|
||
|
<?php
|
||
|
|
||
|
/**
|
||
|
* @psalm-taint-unescape html
|
||
|
*/
|
||
|
function decode(string $str): string
|
||
|
{
|
||
|
return str_replace(
|
||
|
['<', '>', '"', '''],
|
||
|
['<', '>', '"', '"'],
|
||
|
$str
|
||
|
);
|
||
|
}
|
||
|
|
||
|
$safe = htmlspecialchars($_GET['text']);
|
||
|
echo decode($safe);
|
||
|
```
|