mirror of
https://github.com/danog/psalm.git
synced 2024-12-11 00:39:38 +01:00
546283b71a
* [DOCS] Extend documentation on global variables configuration * [DOCS] Synchronize meaning of @psalm-taint-source input with source code * [DOCS] Add documentation for conditional @psalm-taint-escape * [DOCS] Add documentation for @psalm-taint-unescape
511 B
511 B
Avoiding false-negatives
Unescaping statements
Post-processing previously escaped/encoded statements can cause insecure scenarios.
@psalm-taint-unescape <taint-type>
allows to declare those components insecure explicitly.
<?php
/**
* @psalm-taint-unescape html
*/
function decode(string $str): string
{
return str_replace(
['<', '>', '"', '''],
['<', '>', '"', '"'],
$str
);
}
$safe = htmlspecialchars($_GET['text']);
echo decode($safe);