Move html TemplateEscape out of Texttemplate module

gagliardetto · gagliardetto · commit a340270dc143 · 2020-09-14T15:47:52.000+02:00
diff --git a/ql/src/semmle/go/frameworks/stdlib/HtmlTemplate.qll b/ql/src/semmle/go/frameworks/stdlib/HtmlTemplate.qll
@@ -6,6 +6,24 @@ import go
 
 /** Provides models of commonly used functions in the `html/template` package. */
 module HtmlTemplate {
+  private class TemplateEscape extends EscapeFunction::Range {
+    string kind;
+
+    TemplateEscape() {
+      exists(string fn |
+        fn.matches("HTMLEscape%") and kind = "html"
+        or
+        fn.matches("JSEscape%") and kind = "js"
+        or
+        fn.matches("URLQueryEscape%") and kind = "url"
+      |
+        this.hasQualifiedName("html/template", fn)
+      )
+    }
+
+    override string kind() { result = kind }
+  }
+
   private class FunctionModels extends TaintTracking::FunctionModel {
     FunctionInput inp;
     FunctionOutput outp;
diff --git a/ql/src/semmle/go/frameworks/stdlib/TextTemplate.qll b/ql/src/semmle/go/frameworks/stdlib/TextTemplate.qll
@@ -18,8 +18,6 @@ module TextTemplate {
         fn.matches("URLQueryEscape%") and kind = "url"
       |
         this.hasQualifiedName("text/template", fn)
-        or
-        this.hasQualifiedName("html/template", fn)
       )
     }
 

Original file line number	Diff line number	Diff line change
`@@ -18,8 +18,6 @@ module TextTemplate {`
`18`	`18`	`fn.matches("URLQueryEscape%") and kind = "url"`
`19`	`19`	`\|`
`20`	`20`	`this.hasQualifiedName("text/template", fn)`
`21`		`- or`
`22`		`- this.hasQualifiedName("html/template", fn)`
`23`	`21`	`)`
`24`	`22`	`}`
`25`	`23`