feat(guards): add GR-SEC-010 — output escaping enforcement in views

Add architecture test ViewLayerOutputEscapingContractTest that flags
raw <?php echo in .phtml files. Legitimate uses (pre-built ARIA attrs
from navActive(), hardcoded role values, pre-rendered HTML fragments)
must carry an inline // raw-html-ok: reason marker.

Annotated all 11 existing raw echo sites with justification markers.
Added guard to catalog, enforcement map (automated), CLAUDE.md security
section, and never-do-this list.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-04-06 12:08:25 +02:00
parent 9a4d59eb4c
commit 576a0c51cd
12 changed files with 150 additions and 11 deletions

View File

@@ -101,7 +101,7 @@ $currentPath = trim((string) ($bookmarkNav['current_path'] ?? ''));
data-bookmark-group-id="">
<a href="<?php e(lurl($bookmarkUrl)); ?>"
class="<?php e($bookmarkActive ? 'active' : ''); ?>"
<?php echo $bookmarkActive ? 'aria-current="page"' : ''; ?>>
<?php echo $bookmarkActive ? 'aria-current="page"' : ''; // raw-html-ok: hardcoded ARIA attribute ?>>
<?php e($bookmarkName); ?>
</a>
<details class="app-sidebar-bookmark-action-menu" data-bookmark-action-menu>
@@ -199,7 +199,7 @@ $currentPath = trim((string) ($bookmarkNav['current_path'] ?? ''));
data-bookmark-group-id="<?php e($groupId); ?>">
<a href="<?php e(lurl($bookmarkUrl)); ?>"
class="<?php e($bookmarkActive ? 'active' : ''); ?>"
<?php echo $bookmarkActive ? 'aria-current="page"' : ''; ?>>
<?php echo $bookmarkActive ? 'aria-current="page"' : ''; // raw-html-ok: hardcoded ARIA attribute ?>>
<?php e($bookmarkName); ?>
</a>
<details class="app-sidebar-bookmark-action-menu" data-bookmark-action-menu>