github
diff --git a/‎java/ql/test/query-tests/security/CWE-079/semmle/tests/JaxXSS.java
Lines changed: 37 additions & 37 deletions b/‎java/ql/test/query-tests/security/CWE-079/semmle/tests/JaxXSS.java
Lines changed: 37 additions & 37 deletions
diff --git a/‎java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java
Lines changed: 10 additions & 10 deletions b/‎java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java
Lines changed: 10 additions & 10 deletions
diff --git a/‎java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java
Lines changed: 28 additions & 28 deletions b/‎java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java
Lines changed: 28 additions & 28 deletions
@@ -12,25 +12,25 @@
 public class JaxXSS {
 
   @GET
-  public static Response specificContentType(boolean safeContentType, boolean chainDirectly, boolean contentTypeFirst, String userControlled) {
+  public static Response specificContentType(boolean safeContentType, boolean chainDirectly, boolean contentTypeFirst, String userControlled) { // $ Source
 
     Response.ResponseBuilder builder = Response.ok();
 
     if(!safeContentType) {
       if(chainDirectly) {
         if(contentTypeFirst)
-          return builder.type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss
+          return builder.type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert
         else
-          return builder.entity(userControlled).type(MediaType.TEXT_HTML).build(); // $ xss
+          return builder.entity(userControlled).type(MediaType.TEXT_HTML).build(); // $ Alert
       }
       else {
         if(contentTypeFirst) {
           Response.ResponseBuilder builder2 = builder.type(MediaType.TEXT_HTML);
-          return builder2.entity(userControlled).build(); // $ xss
+          return builder2.entity(userControlled).build(); // $ Alert
         }
         else {
           Response.ResponseBuilder builder2 = builder.entity(userControlled);
-          return builder2.type(MediaType.TEXT_HTML).build(); // $ xss
+          return builder2.type(MediaType.TEXT_HTML).build(); // $ Alert
         }
       }
     }
@@ -56,7 +56,7 @@ public static Response specificContentType(boolean safeContentType, boolean chai
   }
 
   @GET
-  public static Response specificContentTypeSetterMethods(int route, boolean safeContentType, String userControlled) {
+  public static Response specificContentTypeSetterMethods(int route, boolean safeContentType, String userControlled) { // $ Source
 
     // Test the remarkably many routes to setting a content-type in Jax-RS, besides the ResponseBuilder.entity method used above:
 
@@ -105,39 +105,39 @@ else if(route == 8) {
     else {
       if(route == 0) {
         // via ok, as a string literal:
-        return Response.ok("text/html").entity(userControlled).build(); // $ xss
+        return Response.ok("text/html").entity(userControlled).build(); // $ Alert
       }
       else if(route == 1) {
         // via ok, as a string constant:
-        return Response.ok(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss
+        return Response.ok(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert
       }
       else if(route == 2) {
         // via ok, as a MediaType constant:
-        return Response.ok(MediaType.TEXT_HTML_TYPE).entity(userControlled).build(); // $ xss
+        return Response.ok(MediaType.TEXT_HTML_TYPE).entity(userControlled).build(); // $ Alert
       }
       else if(route == 3) {
         // via ok, as a Variant, via constructor:
-        return Response.ok(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ xss
+        return Response.ok(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ Alert
       }
       else if(route == 4) {
         // via ok, as a Variant, via static method:
-        return Response.ok(Variant.mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ xss
+        return Response.ok(Variant.mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ Alert
       }
       else if(route == 5) {
         // via ok, as a Variant, via instance method:
-        return Response.ok(Variant.languages(Locale.UK).mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ xss
+        return Response.ok(Variant.languages(Locale.UK).mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ Alert
       }
       else if(route == 6) {
         // via builder variant, before entity:
-        return Response.ok().variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ xss
+        return Response.ok().variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ Alert
       }
       else if(route == 7) {
         // via builder variant, after entity:
-        return Response.ok().entity(userControlled).variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).build(); // $ xss
+        return Response.ok().entity(userControlled).variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).build(); // $ Alert
       }
       else if(route == 8) {
         // provide entity via ok, then content-type via builder:
-        return Response.ok(userControlled).type(MediaType.TEXT_HTML_TYPE).build(); // $ xss
+        return Response.ok(userControlled).type(MediaType.TEXT_HTML_TYPE).build(); // $ Alert
       }
     }
 
@@ -161,28 +161,28 @@ public static Response methodContentTypeSafeStringLiteral(String userControlled)
   }
 
   @GET @Produces(MediaType.TEXT_HTML)
-  public static Response methodContentTypeUnsafe(String userControlled) {
-    return Response.ok(userControlled).build(); // $ xss
+  public static Response methodContentTypeUnsafe(String userControlled) { // $ Source
+    return Response.ok(userControlled).build(); // $ Alert
   }
 
   @POST @Produces(MediaType.TEXT_HTML)
-  public static Response methodContentTypeUnsafePost(String userControlled) {
-    return Response.ok(userControlled).build(); // $ xss
+  public static Response methodContentTypeUnsafePost(String userControlled) { // $ Source
+    return Response.ok(userControlled).build(); // $ Alert
   }
 
   @GET @Produces("text/html")
-  public static Response methodContentTypeUnsafeStringLiteral(String userControlled) {
-    return Response.ok(userControlled).build(); // $ xss
+  public static Response methodContentTypeUnsafeStringLiteral(String userControlled) { // $ Source
+    return Response.ok(userControlled).build(); // $ Alert
   }
 
   @GET @Produces({MediaType.TEXT_HTML, MediaType.APPLICATION_JSON})
-  public static Response methodContentTypeMaybeSafe(String userControlled) {
-    return Response.ok(userControlled).build(); // $ xss
+  public static Response methodContentTypeMaybeSafe(String userControlled) { // $ Source
+    return Response.ok(userControlled).build(); // $ Alert
   }
 
   @GET @Produces(MediaType.APPLICATION_JSON)
-  public static Response methodContentTypeSafeOverriddenWithUnsafe(String userControlled) {
-    return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss
+  public static Response methodContentTypeSafeOverriddenWithUnsafe(String userControlled) { // $ Source
+    return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert
   }
 
   @GET @Produces(MediaType.TEXT_HTML)
@@ -204,27 +204,27 @@ public String testDirectReturn(String userControlled) {
     }
 
     @GET @Produces({"text/html"})
-    public Response overridesWithUnsafe(String userControlled) {
-      return Response.ok(userControlled).build(); // $ xss
+    public Response overridesWithUnsafe(String userControlled) { // $ Source
+      return Response.ok(userControlled).build(); // $ Alert
     }
 
     @GET
-    public Response overridesWithUnsafe2(String userControlled) {
-      return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss
+    public Response overridesWithUnsafe2(String userControlled) { // $ Source
+      return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert
     }
   }
 
   @Path("/abc")
   @Produces({"text/html"})
   public static class ClassContentTypeUnsafe {
     @GET
-    public Response test(String userControlled) {
-      return Response.ok(userControlled).build(); // $ xss
+    public Response test(String userControlled) { // $ Source
+      return Response.ok(userControlled).build(); // $ Alert
     }
 
     @GET
-    public String testDirectReturn(String userControlled) {
-      return userControlled; // $ xss
+    public String testDirectReturn(String userControlled) { // $ Source
+      return userControlled; // $ Alert
     }
 
     @GET @Produces({"application/json"})
@@ -239,13 +239,13 @@ public Response overridesWithSafe2(String userControlled) {
   }
 
   @GET
-  public static Response entityWithNoMediaType(String userControlled) {
-    return Response.ok(userControlled).build(); // $ xss
+  public static Response entityWithNoMediaType(String userControlled) { // $ Source
+    return Response.ok(userControlled).build(); // $ Alert
   }
 
   @GET
-  public static String stringWithNoMediaType(String userControlled) {
-    return userControlled; // $ xss
+  public static String stringWithNoMediaType(String userControlled) { // $ Source
+    return userControlled; // $ Alert
   }
 
 }
@@ -18,15 +18,15 @@ public void encodeBegin(FacesContext facesContext, UIComponent component) throws
     {
         super.encodeBegin(facesContext, component);
 
-        Map<String, String> requestParameters = facesContext.getExternalContext().getRequestParameterMap();
+         Map<String, String> requestParameters = facesContext.getExternalContext().getRequestParameterMap(); // $ Source
         String windowId = requestParameters.get("window_id");
 
         ResponseWriter writer = facesContext.getResponseWriter();
         writer.write("<script type=\"text/javascript\">");
         writer.write("(function(){");
         writer.write("dswh.init('" + windowId + "','"
                 + "......" + "',"
-                + -1 + ",{"); // $ xss
+                + -1 + ",{"); // $ Alert
         writer.write("});");
         writer.write("})();");
         writer.write("</script>");
@@ -57,13 +57,13 @@ public void testAllSources(FacesContext facesContext) throws IOException
     {
         ExternalContext ec = facesContext.getExternalContext();
         ResponseWriter writer = facesContext.getResponseWriter();
-        writer.write(ec.getRequestParameterMap().keySet().iterator().next()); // $ xss
-        writer.write(ec.getRequestParameterNames().next()); // $ xss
-        writer.write(ec.getRequestParameterValuesMap().get("someKey")[0]); // $ xss
-        writer.write(ec.getRequestParameterValuesMap().keySet().iterator().next()); // $ xss
-        writer.write(ec.getRequestPathInfo()); // $ xss
-        writer.write(((Cookie)ec.getRequestCookieMap().get("someKey")).getName()); // $ xss
-        writer.write(ec.getRequestHeaderMap().get("someKey")); // $ xss
-        writer.write(ec.getRequestHeaderValuesMap().get("someKey")[0]); // $ xss
+        writer.write(ec.getRequestParameterMap().keySet().iterator().next()); // $ Alert
+        writer.write(ec.getRequestParameterNames().next()); // $ Alert
+        writer.write(ec.getRequestParameterValuesMap().get("someKey")[0]); // $ Alert
+        writer.write(ec.getRequestParameterValuesMap().keySet().iterator().next()); // $ Alert
+        writer.write(ec.getRequestPathInfo()); // $ Alert
+        writer.write(((Cookie)ec.getRequestCookieMap().get("someKey")).getName()); // $ Alert
+        writer.write(ec.getRequestHeaderMap().get("someKey")); // $ Alert
+        writer.write(ec.getRequestHeaderValuesMap().get("someKey")[0]); // $ Alert
     }
 }
@@ -13,17 +13,17 @@
 public class SpringXSS {
 
   @GetMapping
-  public static ResponseEntity<String> specificContentType(boolean safeContentType, boolean chainDirectly, String userControlled) {
+  public static ResponseEntity<String> specificContentType(boolean safeContentType, boolean chainDirectly, String userControlled) { // $ Source
 
     ResponseEntity.BodyBuilder builder = ResponseEntity.ok();
 
     if(!safeContentType) {
       if(chainDirectly) {
-        return builder.contentType(MediaType.TEXT_HTML).body(userControlled); // $ xss
+        return builder.contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert
       }
       else {
         ResponseEntity.BodyBuilder builder2 = builder.contentType(MediaType.TEXT_HTML);
-        return builder2.body(userControlled); // $ xss
+        return builder2.body(userControlled); // $ Alert
       }
     }
     else {
@@ -59,23 +59,23 @@ public static ResponseEntity<String> methodContentTypeSafeStringLiteral(String u
   }
 
   @GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE)
-  public static ResponseEntity<String> methodContentTypeUnsafe(String userControlled) {
-    return ResponseEntity.ok(userControlled); // $ xss
+  public static ResponseEntity<String> methodContentTypeUnsafe(String userControlled) { // $ Source
+    return ResponseEntity.ok(userControlled); // $ Alert
   }
 
   @GetMapping(value = "/xyz", produces = "text/html")
-  public static ResponseEntity<String> methodContentTypeUnsafeStringLiteral(String userControlled) {
-    return ResponseEntity.ok(userControlled); // $ xss
+  public static ResponseEntity<String> methodContentTypeUnsafeStringLiteral(String userControlled) { // $ Source
+    return ResponseEntity.ok(userControlled); // $ Alert
   }
 
   @GetMapping(value = "/xyz", produces = {MediaType.TEXT_HTML_VALUE, MediaType.APPLICATION_JSON_VALUE})
-  public static ResponseEntity<String> methodContentTypeMaybeSafe(String userControlled) {
-    return ResponseEntity.ok(userControlled); // $ xss
+  public static ResponseEntity<String> methodContentTypeMaybeSafe(String userControlled) { // $ Source
+    return ResponseEntity.ok(userControlled); // $ Alert
   }
 
   @GetMapping(value = "/xyz", produces = MediaType.APPLICATION_JSON_VALUE)
-  public static ResponseEntity<String> methodContentTypeSafeOverriddenWithUnsafe(String userControlled) {
-    return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ xss
+  public static ResponseEntity<String> methodContentTypeSafeOverriddenWithUnsafe(String userControlled) { // $ Source
+    return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert
   }
 
   @GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE)
@@ -84,17 +84,17 @@ public static ResponseEntity<String> methodContentTypeUnsafeOverriddenWithSafe(S
   }
 
   @GetMapping(value = "/xyz", produces = {"text/html", "application/json"})
-  public static ResponseEntity<String> methodContentTypeMaybeSafeStringLiterals(String userControlled, int constructionMethod) {
+  public static ResponseEntity<String> methodContentTypeMaybeSafeStringLiterals(String userControlled, int constructionMethod) { // $ Source
     // Also try out some alternative constructors for the ResponseEntity:
     switch(constructionMethod) {
       case 0:
-      return ResponseEntity.ok(userControlled); // $ xss
+      return ResponseEntity.ok(userControlled); // $ Alert
       case 1:
-      return ResponseEntity.of(Optional.of(userControlled)); // $ xss
+      return ResponseEntity.of(Optional.of(userControlled)); // $ Alert
       case 2:
-      return ResponseEntity.ok().body(userControlled); // $ xss
+      return ResponseEntity.ok().body(userControlled); // $ Alert
       case 3:
-      return new ResponseEntity<String>(userControlled, HttpStatus.OK); // $ xss
+      return new ResponseEntity<String>(userControlled, HttpStatus.OK); // $ Alert
       default:
       return null;
     }
@@ -114,27 +114,27 @@ public String testDirectReturn(String userControlled) {
     }
 
     @GetMapping(value = "/xyz", produces = {"text/html"})
-    public ResponseEntity<String> overridesWithUnsafe(String userControlled) {
-      return ResponseEntity.ok(userControlled); // $ xss
+    public ResponseEntity<String> overridesWithUnsafe(String userControlled) { // $ Source
+      return ResponseEntity.ok(userControlled); // $ Alert
     }
 
     @GetMapping(value = "/abc")
-    public ResponseEntity<String> overridesWithUnsafe2(String userControlled) {
-      return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ xss
+    public ResponseEntity<String> overridesWithUnsafe2(String userControlled) { // $ Source
+      return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert
     }
   }
 
   @RestController
   @RequestMapping(produces = {"text/html"})
   private static class ClassContentTypeUnsafe {
     @GetMapping(value = "/abc")
-    public ResponseEntity<String> test(String userControlled) {
-      return ResponseEntity.ok(userControlled); // $ xss
+    public ResponseEntity<String> test(String userControlled) { // $ Source
+      return ResponseEntity.ok(userControlled); // $ Alert
     }
 
     @GetMapping(value = "/abc")
-    public String testDirectReturn(String userControlled) {
-      return userControlled; // $ xss
+    public String testDirectReturn(String userControlled) { // $ Source
+      return userControlled; // $ Alert
     }
 
     @GetMapping(value = "/xyz", produces = {"application/json"})
@@ -149,13 +149,13 @@ public ResponseEntity<String> overridesWithSafe2(String userControlled) {
   }
 
   @GetMapping(value = "/abc")
-  public static ResponseEntity<String> entityWithNoMediaType(String userControlled) {
-    return ResponseEntity.ok(userControlled); // $ xss
+  public static ResponseEntity<String> entityWithNoMediaType(String userControlled) { // $ Source
+    return ResponseEntity.ok(userControlled); // $ Alert
   }
 
   @GetMapping(value = "/abc")
-  public static String stringWithNoMediaType(String userControlled) {
-    return userControlled; // $ xss
+  public static String stringWithNoMediaType(String userControlled) { // $ Source
+    return userControlled; // $ Alert
   }
 
   @GetMapping(value = "/abc")
Original file line number	Diff line number	Diff line change
`@@ -12,25 +12,25 @@`
`12`	`12`	`public class JaxXSS {`
`13`	`13`
`14`	`14`	`@GET`
`15`		`- public static Response specificContentType(boolean safeContentType, boolean chainDirectly, boolean contentTypeFirst, String userControlled) {`
	`15`	`+ public static Response specificContentType(boolean safeContentType, boolean chainDirectly, boolean contentTypeFirst, String userControlled) { // $ Source`
`16`	`16`
`17`	`17`	`Response.ResponseBuilder builder = Response.ok();`
`18`	`18`
`19`	`19`	`if(!safeContentType) {`
`20`	`20`	`if(chainDirectly) {`
`21`	`21`	`if(contentTypeFirst)`
`22`		`- return builder.type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss`
	`22`	`+ return builder.type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert`
`23`	`23`	`else`
`24`		`- return builder.entity(userControlled).type(MediaType.TEXT_HTML).build(); // $ xss`
	`24`	`+ return builder.entity(userControlled).type(MediaType.TEXT_HTML).build(); // $ Alert`
`25`	`25`	`}`
`26`	`26`	`else {`
`27`	`27`	`if(contentTypeFirst) {`
`28`	`28`	`Response.ResponseBuilder builder2 = builder.type(MediaType.TEXT_HTML);`
`29`		`- return builder2.entity(userControlled).build(); // $ xss`
	`29`	`+ return builder2.entity(userControlled).build(); // $ Alert`
`30`	`30`	`}`
`31`	`31`	`else {`
`32`	`32`	`Response.ResponseBuilder builder2 = builder.entity(userControlled);`
`33`		`- return builder2.type(MediaType.TEXT_HTML).build(); // $ xss`
	`33`	`+ return builder2.type(MediaType.TEXT_HTML).build(); // $ Alert`
`34`	`34`	`}`
`35`	`35`	`}`
`36`	`36`	`}`
`@@ -56,7 +56,7 @@ public static Response specificContentType(boolean safeContentType, boolean chai`
`56`	`56`	`}`
`57`	`57`
`58`	`58`	`@GET`
`59`		`- public static Response specificContentTypeSetterMethods(int route, boolean safeContentType, String userControlled) {`
	`59`	`+ public static Response specificContentTypeSetterMethods(int route, boolean safeContentType, String userControlled) { // $ Source`
`60`	`60`
`61`	`61`	`// Test the remarkably many routes to setting a content-type in Jax-RS, besides the ResponseBuilder.entity method used above:`
`62`	`62`
`@@ -105,39 +105,39 @@ else if(route == 8) {`
`105`	`105`	`else {`
`106`	`106`	`if(route == 0) {`
`107`	`107`	`// via ok, as a string literal:`
`108`		`- return Response.ok("text/html").entity(userControlled).build(); // $ xss`
	`108`	`+ return Response.ok("text/html").entity(userControlled).build(); // $ Alert`
`109`	`109`	`}`
`110`	`110`	`else if(route == 1) {`
`111`	`111`	`// via ok, as a string constant:`
`112`		`- return Response.ok(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss`
	`112`	`+ return Response.ok(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert`
`113`	`113`	`}`
`114`	`114`	`else if(route == 2) {`
`115`	`115`	`// via ok, as a MediaType constant:`
`116`		`- return Response.ok(MediaType.TEXT_HTML_TYPE).entity(userControlled).build(); // $ xss`
	`116`	`+ return Response.ok(MediaType.TEXT_HTML_TYPE).entity(userControlled).build(); // $ Alert`
`117`	`117`	`}`
`118`	`118`	`else if(route == 3) {`
`119`	`119`	`// via ok, as a Variant, via constructor:`
`120`		`- return Response.ok(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ xss`
	`120`	`+ return Response.ok(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ Alert`
`121`	`121`	`}`
`122`	`122`	`else if(route == 4) {`
`123`	`123`	`// via ok, as a Variant, via static method:`
`124`		`- return Response.ok(Variant.mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ xss`
	`124`	`+ return Response.ok(Variant.mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ Alert`
`125`	`125`	`}`
`126`	`126`	`else if(route == 5) {`
`127`	`127`	`// via ok, as a Variant, via instance method:`
`128`		`- return Response.ok(Variant.languages(Locale.UK).mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ xss`
	`128`	`+ return Response.ok(Variant.languages(Locale.UK).mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ Alert`
`129`	`129`	`}`
`130`	`130`	`else if(route == 6) {`
`131`	`131`	`// via builder variant, before entity:`
`132`		`- return Response.ok().variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ xss`
	`132`	`+ return Response.ok().variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ Alert`
`133`	`133`	`}`
`134`	`134`	`else if(route == 7) {`
`135`	`135`	`// via builder variant, after entity:`
`136`		`- return Response.ok().entity(userControlled).variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).build(); // $ xss`
	`136`	`+ return Response.ok().entity(userControlled).variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).build(); // $ Alert`
`137`	`137`	`}`
`138`	`138`	`else if(route == 8) {`
`139`	`139`	`// provide entity via ok, then content-type via builder:`
`140`		`- return Response.ok(userControlled).type(MediaType.TEXT_HTML_TYPE).build(); // $ xss`
	`140`	`+ return Response.ok(userControlled).type(MediaType.TEXT_HTML_TYPE).build(); // $ Alert`
`141`	`141`	`}`
`142`	`142`	`}`
`143`	`143`
`@@ -161,28 +161,28 @@ public static Response methodContentTypeSafeStringLiteral(String userControlled)`
`161`	`161`	`}`
`162`	`162`
`163`	`163`	`@GET @Produces(MediaType.TEXT_HTML)`
`164`		`- public static Response methodContentTypeUnsafe(String userControlled) {`
`165`		`- return Response.ok(userControlled).build(); // $ xss`
	`164`	`+ public static Response methodContentTypeUnsafe(String userControlled) { // $ Source`
	`165`	`+ return Response.ok(userControlled).build(); // $ Alert`
`166`	`166`	`}`
`167`	`167`
`168`	`168`	`@POST @Produces(MediaType.TEXT_HTML)`
`169`		`- public static Response methodContentTypeUnsafePost(String userControlled) {`
`170`		`- return Response.ok(userControlled).build(); // $ xss`
	`169`	`+ public static Response methodContentTypeUnsafePost(String userControlled) { // $ Source`
	`170`	`+ return Response.ok(userControlled).build(); // $ Alert`
`171`	`171`	`}`
`172`	`172`
`173`	`173`	`@GET @Produces("text/html")`
`174`		`- public static Response methodContentTypeUnsafeStringLiteral(String userControlled) {`
`175`		`- return Response.ok(userControlled).build(); // $ xss`
	`174`	`+ public static Response methodContentTypeUnsafeStringLiteral(String userControlled) { // $ Source`
	`175`	`+ return Response.ok(userControlled).build(); // $ Alert`
`176`	`176`	`}`
`177`	`177`
`178`	`178`	`@GET @Produces({MediaType.TEXT_HTML, MediaType.APPLICATION_JSON})`
`179`		`- public static Response methodContentTypeMaybeSafe(String userControlled) {`
`180`		`- return Response.ok(userControlled).build(); // $ xss`
	`179`	`+ public static Response methodContentTypeMaybeSafe(String userControlled) { // $ Source`
	`180`	`+ return Response.ok(userControlled).build(); // $ Alert`
`181`	`181`	`}`
`182`	`182`
`183`	`183`	`@GET @Produces(MediaType.APPLICATION_JSON)`
`184`		`- public static Response methodContentTypeSafeOverriddenWithUnsafe(String userControlled) {`
`185`		`- return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss`
	`184`	`+ public static Response methodContentTypeSafeOverriddenWithUnsafe(String userControlled) { // $ Source`
	`185`	`+ return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert`
`186`	`186`	`}`
`187`	`187`
`188`	`188`	`@GET @Produces(MediaType.TEXT_HTML)`
`@@ -204,27 +204,27 @@ public String testDirectReturn(String userControlled) {`
`204`	`204`	`}`
`205`	`205`
`206`	`206`	`@GET @Produces({"text/html"})`
`207`		`- public Response overridesWithUnsafe(String userControlled) {`
`208`		`- return Response.ok(userControlled).build(); // $ xss`
	`207`	`+ public Response overridesWithUnsafe(String userControlled) { // $ Source`
	`208`	`+ return Response.ok(userControlled).build(); // $ Alert`
`209`	`209`	`}`
`210`	`210`
`211`	`211`	`@GET`
`212`		`- public Response overridesWithUnsafe2(String userControlled) {`
`213`		`- return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ xss`
	`212`	`+ public Response overridesWithUnsafe2(String userControlled) { // $ Source`
	`213`	`+ return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert`
`214`	`214`	`}`
`215`	`215`	`}`
`216`	`216`
`217`	`217`	`@Path("/abc")`
`218`	`218`	`@Produces({"text/html"})`
`219`	`219`	`public static class ClassContentTypeUnsafe {`
`220`	`220`	`@GET`
`221`		`- public Response test(String userControlled) {`
`222`		`- return Response.ok(userControlled).build(); // $ xss`
	`221`	`+ public Response test(String userControlled) { // $ Source`
	`222`	`+ return Response.ok(userControlled).build(); // $ Alert`
`223`	`223`	`}`
`224`	`224`
`225`	`225`	`@GET`
`226`		`- public String testDirectReturn(String userControlled) {`
`227`		`- return userControlled; // $ xss`
	`226`	`+ public String testDirectReturn(String userControlled) { // $ Source`
	`227`	`+ return userControlled; // $ Alert`
`228`	`228`	`}`
`229`	`229`
`230`	`230`	`@GET @Produces({"application/json"})`
`@@ -239,13 +239,13 @@ public Response overridesWithSafe2(String userControlled) {`
`239`	`239`	`}`
`240`	`240`
`241`	`241`	`@GET`
`242`		`- public static Response entityWithNoMediaType(String userControlled) {`
`243`		`- return Response.ok(userControlled).build(); // $ xss`
	`242`	`+ public static Response entityWithNoMediaType(String userControlled) { // $ Source`
	`243`	`+ return Response.ok(userControlled).build(); // $ Alert`
`244`	`244`	`}`
`245`	`245`
`246`	`246`	`@GET`
`247`		`- public static String stringWithNoMediaType(String userControlled) {`
`248`		`- return userControlled; // $ xss`
	`247`	`+ public static String stringWithNoMediaType(String userControlled) { // $ Source`
	`248`	`+ return userControlled; // $ Alert`
`249`	`249`	`}`
`250`	`250`
`251`	`251`	`}`