<?php /** * @return-taint tainted */ function getUnsafe() { // Line 6 } echo getUnsafe();
input:8: SecurityCheck-XSS Echoing expression that was not html escaped (Caused by: input +6)
The caused-by line should say something like "return value of \getUnsafe() is annotated at input.php +4", and not point to line 6.