1
0
mirror of https://github.com/danog/psalm.git synced 2024-12-11 00:39:38 +01:00
psalm/docs/security_analysis/avoiding_false_negatives.md

26 lines
511 B
Markdown
Raw Normal View History

# Avoiding false-negatives
## Unescaping statements
Post-processing previously escaped/encoded statements can cause insecure scenarios.
`@psalm-taint-unescape <taint-type>` allows to declare those components insecure explicitly.
```php
<?php
/**
* @psalm-taint-unescape html
*/
function decode(string $str): string
{
return str_replace(
['&lt;', '&gt;', '&quot;', '&apos;'],
['<', '>', '"', '"'],
$str
);
}
$safe = htmlspecialchars($_GET['text']);
echo decode($safe);
```