Add utility functions definining XSS-vulnerable content-types

smowton · smowton · commit 10714211c6eb · 2021-06-30T12:04:21.000+01:00
diff --git a/java/ql/src/semmle/code/java/security/XSS.qll b/java/ql/src/semmle/code/java/security/XSS.qll
@@ -150,3 +150,20 @@ class ServletWriterSource extends MethodAccess {
     )
   }
 }
+
+/**
+ * Holds if `s` is an HTTP Content-Type vulnerable to XSS.
+ */
+bindingset[s]
+predicate isXssVulnerableContentType(string s) {
+  s.regexpMatch("(?i)text/(html|xml|xsl|rdf|vtt|cache-manifest).*") or
+  s.regexpMatch("(?i)application/(.*\\+)?xml.*") or
+  s.regexpMatch("(?i)cache-manifest.*") or
+  s.regexpMatch("(?i)image/svg\\+xml.*")
+}
+
+/**
+ * Holds if `s` is an HTTP Content-Type that is not vulnerable to XSS.
+ */
+bindingset[s]
+predicate isXssSafeContentType(string s) { not isXssVulnerableContentType(s) }
