Would be nice to add phan-taint-check-plugin to Scribunto extensions
<?xml version="1.0" encoding="ISO-8859-15"?> <checkstyle version="6.5"> <file name="./includes/common/ScribuntoContent.php"> <error line="91" severity="warning" message="Calling method \Parser::parse() in \ScribuntoContent::fillParserOutput that outputs using tainted argument $docWikitext. (Caused by: Builtin-\Parser::parse) (Caused by: ./includes/common/ScribuntoContent.php +75)" source="SecurityCheck-DoubleEscaped"/> </file> <file name="./includes/engines/LuaCommon/lualib/ustring/make-normalization-table.php"> <error line="62" severity="warning" message="Echoing expression that was not html escaped (Caused by: ./includes/engines/LuaCommon/lualib/ustring/make-normalization-table.php +10)" source="SecurityCheck-XSS"/> <error line="63" severity="warning" message="Argument to require, include or eval is user controlled (Caused by: ./includes/engines/LuaCommon/lualib/ustring/make-normalization-table.php +10)" source="SecurityCheck-OTHER"/> <error line="65" severity="warning" message="Echoing expression that was not html escaped (Caused by: ./includes/engines/LuaCommon/lualib/ustring/make-normalization-table.php +32; ./includes/engines/LuaCommon/lualib/ustring/make-normalization-table.php +44; ./includes/engines/LuaCommon/lualib/ustring/make-normalization-table.php +41; ./includes/engi...)" source="SecurityCheck-XSS"/> <error line="66" severity="warning" message="Argument to require, include or eval is user controlled (Caused by: ./includes/engines/LuaCommon/lualib/ustring/make-normalization-table.php +32; ./includes/engines/LuaCommon/lualib/ustring/make-normalization-table.php +44; ./includes/engines/LuaCommon/lualib/ustring/make-normalization-table.php +41; ./includes/engi...)" source="SecurityCheck-OTHER"/> </file> </checkstyle>
make-normalization-table.php it seems issues cannot be suppressed on global state