Test case:
```lang=php
class Main {
function doFoo() {
echo $this->getBaz(); // Should report an XSS here, but it doesn't
}
function getBaz() {
return 'x';
}
}
class Child extends Main {
function getBaz() {
return $_GET['x'];
}
}
```
This seems to be a limitation of phan as well, see [[https://phan.github.io/demo/?code=%3C%3Fphp%0A%0Aclass+Main+%7B%0A%09function+doFoo%28%29+%7B%0A%09%09%24r+%3D+%24this-%3EgetBaz%28%29%3B%0A%09%09%27%40phan-debug-var+%24r%27%3B%0A%09%7D%0A%09%2F**%0A%09+*+%40return+string%0A%09+*%2F%0A%09function+getBaz%28%29+%7B%0A%09%09return+%27x%27%3B%0A%09%7D%0A%7D%0A%0Aclass+Child+extends+Main+%7B%0A++++%2F**+%40return+int+*%2F%0A%09function+getBaz%28%29+%7B%0A%09%09return+42%3B%0A%09%7D%0A%7D | demo ]]. I'm not even sure if phan offers an API for retrieving a list of subclasses of a given class. If it does, then resolving this would be easy, but then I'd be concerned about performance.