From 4951b0b5572ce7545cd3fecd9623d474aafa8a0f Mon Sep 17 00:00:00 2001
From: Yutaka Kurosaki <y963@royal.ocn.ne.jp>
Date: Sat, 31 Jan 2026 18:59:59 +0900
Subject: [PATCH] Allow {!! nl2br(e($var)) !!} as safe XSS pattern

The pattern nl2br(e($var)) is safe because:
1. e() / htmlspecialchars() escapes HTML entities first
2. nl2br() then adds <br> tags for newlines
3. {!! !!} is required to render the <br> tags

This is a common Laravel pattern for displaying user text
with preserved line breaks while preventing XSS.

Also added nl2br(htmlspecialchars()) and nl2br(htmlentities())
as equivalent safe patterns.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 src/Rules/XssRule.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/Rules/XssRule.php b/src/Rules/XssRule.php
index 66dc3ca..bd0f345 100644
--- a/src/Rules/XssRule.php
+++ b/src/Rules/XssRule.php
@@ -493,6 +493,11 @@ class XssRule extends BaseRule
             '/^\s*action\s*\(/',          // action() helper
             '/^\s*mix\s*\(/',             // mix() helper (Laravel Mix)
             '/^\s*vite\s*\(/',            // vite() helper (Vite)
+            // nl2br with e() - common safe pattern for displaying user text with line breaks
+            // e() escapes HTML first, then nl2br() adds <br> tags
+            '/^\s*nl2br\s*\(\s*e\s*\(/',  // nl2br(e($var))
+            '/^\s*nl2br\s*\(\s*htmlspecialchars\s*\(/',  // nl2br(htmlspecialchars($var))
+            '/^\s*nl2br\s*\(\s*htmlentities\s*\(/',      // nl2br(htmlentities($var))
         ];
 
         foreach ($safePatterns as $pattern) {