Test case:
class Main { function doFoo() { echo $this->getBaz(); // Should report an XSS here, but it doesn't } function getBaz() { return 'x'; } } class Child extends Main { function getBaz() { return $_GET['x']; } }
This seems to be a limitation of phan as well, see demo. I'm not even sure if phan offers an API for retrieving a list of subclasses of a given class. If it does, then resolving this would be easy, but then I'd be concerned about performance.
Upstream issue: https://github.com/phan/phan/issues/4502