Deprecate previous version

Alvaro Muñoz · Alvaro Muñoz · commit 2a1b2db4c397 · 2022-10-11T12:40:32.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll
@@ -28,6 +28,19 @@ module ReflectedXss {
     HttpResponseSink() { not exists(getAXssSafeHeaderDefinition(this)) }
   }
 
+  /**
+   * DEPRECATED: Gets a HeaderDefinition that defines a XSS safe content-type for `send`.
+   */
+  deprecated Http::HeaderDefinition getANonHtmlHeaderDefinition(Http::ResponseSendArgument send) {
+    exists(Http::RouteHandler h |
+      send.getRouteHandler() = h and
+      result = xssSafeContentTypeHeader(h)
+    |
+      // The HeaderDefinition affects a response sent at `send`.
+      headerAffects(result, send)
+    )
+  }
+
   /**
    * Gets a HeaderDefinition that defines a XSS safe content-type for `send`.
    */
@@ -42,7 +55,7 @@ module ReflectedXss {
   }
 
   /**
-   * A content-type that may lead to javascript code being executed in the browser.
+   * Gets a content-type that may lead to javascript code being executed in the browser.
    * ref: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#content-types
    */
   string xssUnsafeContentType() {
@@ -54,6 +67,16 @@ module ReflectedXss {
       ]
   }
 
+  /**
+   * DEPRECATED: Holds if `h` may send a response with a content type that is safe for XSS.
+   */
+  deprecated Http::HeaderDefinition nonHtmlContentTypeHeader(Http::RouteHandler h) {
+    result = h.getAResponseHeader("content-type") and
+    not exists(string tp | result.defines("content-type", tp) |
+      tp.toLowerCase().matches(xssUnsafeContentType() + "%")
+    )
+  }
+
   /**
    * Holds if `h` may send a response with a content type that is safe for XSS.
    */
