Add Psalm taint annotations for XSS prevention

claude · koriym · commit 9fcb1663b05e · 2025-12-22T22:22:00.000+09:00
This commit adds Psalm taint escape annotations for HTML security:

- TwigRenderer::render: marks Twig rendering as HTML escape
- ErrorPagerRenderer::render: marks error page rendering as HTML escape

Twig's autoescape feature automatically escapes HTML entities in
template output, making these methods safe sinks for HTML-tainted data.
diff --git a/src/ErrorPagerRenderer.php b/src/ErrorPagerRenderer.php
@@ -28,6 +28,8 @@ public function __construct(
      * @throws LoaderError
      * @throws RuntimeError
      * @throws SyntaxError
+     *
+     * @psalm-taint-escape html
      */
     public function render(ResourceObject $ro): string
     {
diff --git a/src/TwigRenderer.php b/src/TwigRenderer.php
@@ -41,6 +41,8 @@ public function __construct(
 
     /**
      * {@inheritDoc}
+     *
+     * @psalm-taint-escape html
      */
     public function render(ResourceObject $ro)
     {

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,8 @@ public function __construct(`
`28`	`28`	`* @throws LoaderError`
`29`	`29`	`* @throws RuntimeError`
`30`	`30`	`* @throws SyntaxError`
	`31`	`+ *`
	`32`	`+ * @psalm-taint-escape html`
`31`	`33`	`*/`
`32`	`34`	`public function render(ResourceObject $ro): string`
`33`	`35`	`{`
Original file line number	Diff line number	Diff line change
`@@ -41,6 +41,8 @@ public function __construct(`
`41`	`41`
`42`	`42`	`/**`
`43`	`43`	`* {@inheritDoc}`
	`44`	`+ *`
	`45`	`+ * @psalm-taint-escape html`
`44`	`46`	`*/`
`45`	`47`	`public function render(ResourceObject $ro)`
`46`	`48`	`{`