From dcdbd13d97bbf824c94db7c764cb34b18ef3d8ba Mon Sep 17 00:00:00 2001
From: sbassett <sbassett@wikimedia.org>
Date: Tue, 13 Aug 2019 17:06:53 -0500
Subject: [PATCH] Set @return-taint of Sanitizer::stripAllTags to tainted

phan-taint-check (aka SecurityCheckPlugin) doesn't recognize
Sanitizer::stripAllTags' output as tainted in certain situations.
Adding a @return-taint of tainted to ensure that it does, which
may result in the reporting of more issues.

Bug: T230234
Change-Id: I357c168417a26882c7c460df20f36ec2be401096
---
 includes/parser/Sanitizer.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/includes/parser/Sanitizer.php b/includes/parser/Sanitizer.php
index 8e0cf5c877..d4110468b6 100644
--- a/includes/parser/Sanitizer.php
+++ b/includes/parser/Sanitizer.php
@@ -2036,6 +2036,7 @@ class Sanitizer {
 	 *
 	 * @param string $html HTML fragment
 	 * @return string
+	 * @return-taint tainted
 	 */
 	static function stripAllTags( $html ) {
 		// Use RemexHtml to tokenize $html and extract the text
-- 
2.20.1