- XSS: Fix script tag detection regex to not cross tag boundaries
Previously {!! !!} in HTML between <script> tags was incorrectly
flagged as JavaScript context XSS
- Credentials: Change from key-pattern matching to value-based analysis
- Add looksLikeActualCredential() to analyze if value looks like
a real credential (alphanumeric, no spaces, no non-ASCII)
- Skip display text (Japanese, sentences with spaces)
- Skip placeholder values (changeme, your_*_here, etc.)
- This fundamentally fixes false positives like:
'password_reset_mail_subject' => 'パスワードリセットのご案内'
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Instead of checking for specific patterns like nl2br(e($var)),
now checks if e(), htmlspecialchars(), or htmlentities() appears
anywhere in the expression.
This covers more use cases:
- {!! e($var) !!}
- {!! nl2br(e($var)) !!}
- {!! wordwrap(e($var), 80) !!}
- {!! str_replace('x', 'y', e($var)) !!}
Still flags expressions with escape-breaking functions:
- {!! html_entity_decode(e($var)) !!} -> flagged
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The pattern nl2br(e($var)) is safe because:
1. e() / htmlspecialchars() escapes HTML entities first
2. nl2br() then adds <br> tags for newlines
3. {!! !!} is required to render the <br> tags
This is a common Laravel pattern for displaying user text
with preserved line breaks while preventing XSS.
Also added nl2br(htmlspecialchars()) and nl2br(htmlentities())
as equivalent safe patterns.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
URL helper functions (route, url, asset, secure_url, secure_asset,
action, mix, vite) return URL strings, not HTML. Using {!! !!} with
these is safe and often necessary to avoid & being encoded as &
Added these to the safe patterns in isSafeBladeRawOutput().
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Skip XSS detection for:
- Safe URL helpers: route(), url(), asset(), secure_asset(),
secure_url(), static_url(), action(), mix(), vite()
- Null coalesce with safe helpers: $var ?? url(...)
- Model ID patterns: $model->id (typically safe integers)
These patterns are unlikely to be user-controllable and create
noise that obscures real vulnerabilities.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When options that require values (e.g., -s, -f) are followed by
another flag (e.g., -s -c), the parser set them to boolean true
instead of their expected string value, causing TypeError.
Now these options properly fall back to defaults when no value
is provided.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
