The pattern nl2br(e($var)) is safe because:
1. e() / htmlspecialchars() escapes HTML entities first
2. nl2br() then adds <br> tags for newlines
3. {!! !!} is required to render the <br> tags
This is a common Laravel pattern for displaying user text
with preserved line breaks while preventing XSS.
Also added nl2br(htmlspecialchars()) and nl2br(htmlentities())
as equivalent safe patterns.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
URL helper functions (route, url, asset, secure_url, secure_asset,
action, mix, vite) return URL strings, not HTML. Using {!! !!} with
these is safe and often necessary to avoid & being encoded as &
Added these to the safe patterns in isSafeBladeRawOutput().
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Skip XSS detection for:
- Safe URL helpers: route(), url(), asset(), secure_asset(),
secure_url(), static_url(), action(), mix(), vite()
- Null coalesce with safe helpers: $var ?? url(...)
- Model ID patterns: $model->id (typically safe integers)
These patterns are unlikely to be user-controllable and create
noise that obscures real vulnerabilities.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When options that require values (e.g., -s, -f) are followed by
another flag (e.g., -s -c), the parser set them to boolean true
instead of their expected string value, causing TypeError.
Now these options properly fall back to defaults when no value
is provided.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
