mirror of
https://github.com/danog/psalm.git
synced 2024-12-02 09:37:59 +01:00
ae54b72dba
* [DOCS] Extend documentation on global variables configuration * [DOCS] Synchronize meaning of @psalm-taint-source input with source code * [DOCS] Add documentation for conditional @psalm-taint-escape * [DOCS] Add documentation for @psalm-taint-unescape
26 lines
511 B
Markdown
26 lines
511 B
Markdown
# Avoiding false-negatives
|
|
|
|
## Unescaping statements
|
|
|
|
Post-processing previously escaped/encoded statements can cause insecure scenarios.
|
|
`@psalm-taint-unescape <taint-type>` allows to declare those components insecure explicitly.
|
|
|
|
```php
|
|
<?php
|
|
|
|
/**
|
|
* @psalm-taint-unescape html
|
|
*/
|
|
function decode(string $str): string
|
|
{
|
|
return str_replace(
|
|
['<', '>', '"', '''],
|
|
['<', '>', '"', '"'],
|
|
$str
|
|
);
|
|
}
|
|
|
|
$safe = htmlspecialchars($_GET['text']);
|
|
echo decode($safe);
|
|
```
|