Some operations remove taints from data – for example, wrapping `$_GET['name']` in an `htmlentities` call prevents cross-site-scripting attacks in that `$_GET` call.
Here we’re telling Psalm that a function’s taintedness is wholly depenedent on the input to the function.
If you're familiar with [immutability in Psalm](https://psalm.dev/articles/immutability-and-beyond) then this general idea should be familiar, since a pure function is one where the output is wholly dependent on its input. Unsurprisingly, all functions marked `@psalm-pure`_also_ specialize the taintedness of their output based on input:
```php
<?php // trackTaints
/**
*@psalm-pure
*/
function takesInput(string $s) : string {
return $s;
}
echo htmlentities(takesInput($_GET["name"]));
echo takesInput("hello"); // No error
```
## Specializing taints in classes
Just as taints can be specialized in function calls, tainted properties can also be specialized to a given class.
Adding `@psalm-taint-specialize` to the class fixes the issue.
```php
<?php // trackTaints
/**
*@psalm-taint-specialize
*/
class User {
public string $name;
public function __construct(string $name) {
$this->name = $name;
}
}
/**
*@psalm-taint-specialize
*/
function echoUserName(User $user) {
echo $user->name; // No error
}
$user1 = new User("Keith");
$user2 = new User($_GET["name"]);
echoUserName($user1);
```
And, because it’s form of purity enforcement, `@psalm-immutable` can also be used:
```php
<?php // trackTaints
/**
*@psalm-immutable
*/
class User {
public string $name;
public function __construct(string $name) {
$this->name = $name;
}
}
/**
*@psalm-taint-specialize
*/
function echoUserName(User $user) {
echo $user->name; // No error
}
$user1 = new User("Keith");
$user2 = new User($_GET["name"]);
echoUserName($user1);
```
## Avoiding files in taint paths
You can also tell Psalm that you’re not interested in any taint paths that flow through certain files or directories by specifying them in your Psalm config:
