Python: Require quote escaping for html.escape

Author: RasmusWL

python/ql/lib/semmle/python/frameworks/Stdlib.qll

@@ -4851,7 +4851,19 @@ module StdlibPrivate {
    * See https://docs.python.org/3/library/html.html#html.escape
    */
   private class HtmlEscapeCall extends Escaping::Range, API::CallNode {
-    HtmlEscapeCall() { this = API::moduleImport("html").getMember("escape").getACall() }
+    HtmlEscapeCall() {
+      this = API::moduleImport("html").getMember("escape").getACall() and
+      // if quote escaping is disabled, that might lead to XSS if the result is inserted
+      // in the attribute value of a tag, such as `<foo bar="escape_result">`. Since we
+      // don't know how values are being inserted, and we don't want to lose these
+      // results (FNs), we require quote escaping to be enabled. This might lead to some
+      // FPs, so we might need to revisit this in the future.
+      not this.getParameter(1, "quote")
+          .getAValueReachingSink()
+          .asExpr()
+          .(ImmutableLiteral)
+          .booleanValue() = false
+    }
 
     override DataFlow::Node getAnInput() { result = this.getParameter(0, "s").asSink() }
 

python/ql/test/library-tests/frameworks/stdlib/test_html.py

@@ -4,5 +4,6 @@
 
 html.escape(s) # $ escapeInput=s escapeKind=html escapeOutput=html.escape(..)
 html.escape(s, True) # $ escapeInput=s escapeKind=html escapeOutput=html.escape(..)
-html.escape(s, False) # $ escapeInput=s escapeKind=html escapeOutput=html.escape(..)
-html.escape(s, quote=False) # $ escapeInput=s escapeKind=html escapeOutput=html.escape(..)
+# not considered html escapes, since they don't escape all relevant characters
+html.escape(s, False)
+html.escape(s, quote=False)