danog/psalm
1
0
Fork 0
mirror of https://github.com/danog/psalm.git synced 2024-11-26 20:34:47 +01:00
Code Issues Projects Releases Wiki Activity

Clarified when it is safe to run taint analysis

Browse Source
This commit is contained in:
Mark McEver 2021-07-28 08:56:52 -05:00 committed by GitHub
parent 37496cde05
commit b574878f19
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/security_analysis/index.md
View File

@ -2,7 +2,7 @@
Psalm can attempt to find connections between user-controlled input (like `$_GET['name']`) and places that we dont want unescaped user-controlled input to end up (like `echo "<h1>$name</h1>"` by looking at the ways that data flows through your application (via assignments, function/method calls and array/property access).
You can enable this mode with the `--taint-analysis` command line flag. When taint analysis is enabled, no other analysis is performed.
You can enable this mode with the `--taint-analysis` command line flag. When taint analysis is enabled, no other analysis is performed. To [ensure accurate results](https://github.com/vimeo/psalm/issues/6156), Psalm should be run normally prior to taint analysis, and any errors should be fixed.
Tainted input is anything that can be controlled, wholly or in part, by a user of your application. In taint analysis, tainted input is called a _taint source_.