feat(guards): add GR-SEC-010 — output escaping enforcement in views
Add architecture test ViewLayerOutputEscapingContractTest that flags raw <?php echo in .phtml files. Legitimate uses (pre-built ARIA attrs from navActive(), hardcoded role values, pre-rendered HTML fragments) must carry an inline // raw-html-ok: reason marker. Annotated all 11 existing raw echo sites with justification markers. Added guard to catalog, enforcement map (automated), CLAUDE.md security section, and never-do-this list. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -101,7 +101,7 @@ $currentPath = trim((string) ($bookmarkNav['current_path'] ?? ''));
|
||||
data-bookmark-group-id="">
|
||||
<a href="<?php e(lurl($bookmarkUrl)); ?>"
|
||||
class="<?php e($bookmarkActive ? 'active' : ''); ?>"
|
||||
<?php echo $bookmarkActive ? 'aria-current="page"' : ''; ?>>
|
||||
<?php echo $bookmarkActive ? 'aria-current="page"' : ''; // raw-html-ok: hardcoded ARIA attribute ?>>
|
||||
<?php e($bookmarkName); ?>
|
||||
</a>
|
||||
<details class="app-sidebar-bookmark-action-menu" data-bookmark-action-menu>
|
||||
@@ -199,7 +199,7 @@ $currentPath = trim((string) ($bookmarkNav['current_path'] ?? ''));
|
||||
data-bookmark-group-id="<?php e($groupId); ?>">
|
||||
<a href="<?php e(lurl($bookmarkUrl)); ?>"
|
||||
class="<?php e($bookmarkActive ? 'active' : ''); ?>"
|
||||
<?php echo $bookmarkActive ? 'aria-current="page"' : ''; ?>>
|
||||
<?php echo $bookmarkActive ? 'aria-current="page"' : ''; // raw-html-ok: hardcoded ARIA attribute ?>>
|
||||
<?php e($bookmarkName); ?>
|
||||
</a>
|
||||
<details class="app-sidebar-bookmark-action-menu" data-bookmark-action-menu>
|
||||
|
||||
Reference in New Issue
Block a user