From ac804606a15963d5a9941555f652d8f8f6b776e7 Mon Sep 17 00:00:00 2001
From: Yutaka Kurosaki <y963@royal.ocn.ne.jp>
Date: Sat, 31 Jan 2026 18:56:30 +0900
Subject: [PATCH] Allow {!! route/url() !!} raw output as safe

URL helper functions (route, url, asset, secure_url, secure_asset,
action, mix, vite) return URL strings, not HTML. Using {!! !!} with
these is safe and often necessary to avoid & being encoded as &amp;

Added these to the safe patterns in isSafeBladeRawOutput().

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 src/Rules/XssRule.php | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/Rules/XssRule.php b/src/Rules/XssRule.php
index 1c3cfb2..66dc3ca 100644
--- a/src/Rules/XssRule.php
+++ b/src/Rules/XssRule.php
@@ -484,6 +484,15 @@ class XssRule extends BaseRule
             '/\bcsrf_token\s*\(/',        // CSRF token helper
             '/\btrans\s*\(/',             // Laravel translation (usually safe)
             '/\b__\s*\(/',                // Laravel translation helper
+            // URL helpers - generate URLs, not HTML, so safe for raw output
+            '/^\s*route\s*\(/',           // route() helper
+            '/^\s*url\s*\(/',             // url() helper
+            '/^\s*asset\s*\(/',           // asset() helper
+            '/^\s*secure_url\s*\(/',      // secure_url() helper
+            '/^\s*secure_asset\s*\(/',    // secure_asset() helper
+            '/^\s*action\s*\(/',          // action() helper
+            '/^\s*mix\s*\(/',             // mix() helper (Laravel Mix)
+            '/^\s*vite\s*\(/',            // vite() helper (Vite)
         ];
 
         foreach ($safePatterns as $pattern) {