1
0
mirror of https://github.com/danog/psalm.git synced 2024-11-29 20:28:59 +01:00
psalm/docs/security_analysis/avoiding_false_negatives.md
Oliver Hader ae54b72dba
Update documentation for taints and global configuration (#5098)
* [DOCS] Extend documentation on global variables configuration

* [DOCS] Synchronize meaning of @psalm-taint-source input with source code

* [DOCS] Add documentation for conditional @psalm-taint-escape

* [DOCS] Add documentation for @psalm-taint-unescape
2021-01-29 11:47:35 +01:00

511 B

Avoiding false-negatives

Unescaping statements

Post-processing previously escaped/encoded statements can cause insecure scenarios. @psalm-taint-unescape <taint-type> allows to declare those components insecure explicitly.

<?php

/**
 * @psalm-taint-unescape html
 */
function decode(string $str): string
{
    return str_replace(
        ['&lt;', '&gt;', '&quot;', '&apos;'],
        ['<', '>', '"', '"'],
        $str
    );
}

$safe = htmlspecialchars($_GET['text']);
echo decode($safe);