Potential vulnerabilities are being hidden with concatenation #86
Description
Variables, constants and function calls are not included in the report if concatenated with something which has already been included. Is there any way to override this behaviour other than adding the safe constant to getXSSMitigationFunctions?
echo SAFE_CONSTANT . vulnerableFunction();
// Warning: Possible XSS detected with SAFE_CONSTANT on echoWhen reviewing the report, it can give the impression that an issue is safe when it is not.
Here are some examples from a quick test:
/**
* Warning: Possible XSS detected with CONSTANT on echo
* Warning: Possible XSS detected with $var on echo
*/
echo CONSTANT; echo $var;
/**
* Warning: Possible XSS detected with CONSTANT on echo
*/
echo CONSTANT . $var;
/**
* Error: Easy XSS detected because of direct user input with $_GET on echo
* Error: Easy XSS detected because of direct user input with $_GET on echo
*/
echo $_GET['one'] . $_GET['two'];
/**
* Warning: Possible XSS detected with $varOne on echo
*/
echo $varOne . $varTwo;
/**
* Warning: Possible XSS detected with SAFE_CONSTANT on echo
*/
echo SAFE_CONSTANT . vulnerableFunction();Many thanks