rogarithm/php-security-linter
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Allow {!! nl2br(e($var)) !!} as safe XSS pattern

Browse Source 
The pattern nl2br(e($var)) is safe because:
1. e() / htmlspecialchars() escapes HTML entities first
2. nl2br() then adds <br> tags for newlines
3. {!! !!} is required to render the <br> tags

This is a common Laravel pattern for displaying user text
with preserved line breaks while preventing XSS.

Also added nl2br(htmlspecialchars()) and nl2br(htmlentities())
as equivalent safe patterns.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
y963
2026-01-31 18:59:59 +09:00
parent ac804606a1
commit 4951b0b557
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/Rules/XssRule.php
View File

@@ -493,6 +493,11 @@ class XssRule extends BaseRule
'/^\s*action\s*\(/', // action() helper '/^\s*action\s*\(/', // action() helper
'/^\s*mix\s*\(/', // mix() helper (Laravel Mix) '/^\s*mix\s*\(/', // mix() helper (Laravel Mix)
'/^\s*vite\s*\(/', // vite() helper (Vite) '/^\s*vite\s*\(/', // vite() helper (Vite)
// nl2br with e() - common safe pattern for displaying user text with line breaks
// e() escapes HTML first, then nl2br() adds <br> tags
'/^\s*nl2br\s*\(\s*e\s*\(/', // nl2br(e($var))
'/^\s*nl2br\s*\(\s*htmlspecialchars\s*\(/', // nl2br(htmlspecialchars($var))
'/^\s*nl2br\s*\(\s*htmlentities\s*\(/', // nl2br(htmlentities($var))
]; ];
foreach ($safePatterns as $pattern) { foreach ($safePatterns as $pattern) {