Python: Add html.escape as HTML sanitizer

Author: RasmusWL

python/ql/lib/semmle/python/frameworks/Stdlib.qll

@@ -4842,6 +4842,23 @@ module StdlibPrivate {
       override predicate isShellInterpreted(DataFlow::Node arg) { arg = this.getCommand() }
     }
   }
+
+  // ---------------------------------------------------------------------------
+  // html
+  // ---------------------------------------------------------------------------
+  /**
+   * A call to 'html.escape'.
+   * See https://docs.python.org/3/library/html.html#html.escape
+   */
+  private class HtmlEscapeCall extends Escaping::Range, API::CallNode {
+    HtmlEscapeCall() { this = API::moduleImport("html").getMember("escape").getACall() }
+
+    override DataFlow::Node getAnInput() { result = this.getParameter(0, "s").asSink() }
+
+    override DataFlow::Node getOutput() { result = this }
+
+    override string getKind() { result = Escaping::getHtmlKind() }
+  }
 }
 
 // ---------------------------------------------------------------------------

python/ql/test/library-tests/frameworks/stdlib/test_html.py

@@ -0,0 +1,8 @@
+import html
+
+s = "tainted"
+
+html.escape(s) # $ escapeInput=s escapeKind=html escapeOutput=html.escape(..)
+html.escape(s, True) # $ escapeInput=s escapeKind=html escapeOutput=html.escape(..)
+html.escape(s, False) # $ escapeInput=s escapeKind=html escapeOutput=html.escape(..)
+html.escape(s, quote=False) # $ escapeInput=s escapeKind=html escapeOutput=html.escape(..)