psalm/docs/security_analysis/avoiding_false_negatives.md

# Avoiding false-negatives

## Unescaping statements

Post-processing previously escaped/encoded statements can cause insecure scenarios.
`@psalm-taint-unescape <taint-type>` allows to declare those components insecure explicitly.

```php
<?php

/**
 * @psalm-taint-unescape html
 */
function decode(string $str): string
{
    return str_replace(
        ['&lt;', '&gt;', '&quot;', '&apos;'],
        ['<', '>', '"', '"'],
        $str
    );
}

$safe = htmlspecialchars($_GET['text']);
echo decode($safe);
```
Update documentation for taints and global configuration (#5098) * [DOCS] Extend documentation on global variables configuration * [DOCS] Synchronize meaning of @psalm-taint-source input with source code * [DOCS] Add documentation for conditional @psalm-taint-escape * [DOCS] Add documentation for @psalm-taint-unescape 2021-01-25 17:04:00 +01:00			`# Avoiding false-negatives`

			`## Unescaping statements`

			`Post-processing previously escaped/encoded statements can cause insecure scenarios.`
			`@psalm-taint-unescape <taint-type>` allows to declare those components insecure explicitly.

			```php
			`<?php`

			`/**`
			`* @psalm-taint-unescape html`
			`*/`
			`function decode(string $str): string`
			`{`
			`return str_replace(`
			`['<', '>', '"', '''],`
			`['<', '>', '"', '"'],`
			`$str`
			`);`
			`}`

			`$safe = htmlspecialchars($_GET['text']);`
			`echo decode($safe);`
			```