[BUG] Encoding functions hide unresolved variable markers

[dogancanbakir]

Is there an existing issue for this?

• I have searched the existing issues.

Current Behavior

When a template variable contains unresolved {{...}} markers (e.g. {{contact_id}}) and that variable is passed through an encoding function like base64(), the markers get encoded into an opaque blob. The ContainsUnresolvedVariables check cannot detect them, so the request fires with garbage data instead of being blocked.

Expected Behavior

Nuclei should warn about unresolved variables (contact_id, email) and skip the request when they haven't been provided via -var.

Steps To Reproduce

1. Use a template with self-referential variables like contact_id: "{{contact_id}}" that require user input via -var
2. The template passes the variable through an encoding function, e.g. {{base64(rawhash)}} where rawhash contains {{contact_id}}
3. Run without providing -var contact_id=...
4. The request fires with base64-encoded garbage instead of being blocked

Relevant log output

# Without fix: base64() encodes the unresolved markers into an opaque blob
# Input: {{base64(rawhash)}} where rawhash = {"contact_id":"{{contact_id}}","email":"{{email}}"}
# Output: eyJjb250YWN0X2lkIjoie3tjb250YWN0X2lkfX0iLCJlbWFpbCI6Int7ZW1haWx9fSJ9
# ContainsUnresolvedVariables cannot detect contact_id or email in the blob

Environment

• OS: macOS 15.7
• Nuclei: v3.6.2 (dev)
• Go: go1.25.6

Anything else?

The fix needs to live inside evaluate() in pkg/protocols/common/expressions/expressions.go since that is the shared entry point for all protocol handlers (HTTP, DNS, SSL, websocket, etc.).