Java: Add HTML escapes as XSS sanitizers

Sauyon Lee · aschackmull · Sauyon Lee · commit 9a5c0f6c738f · 2021-08-12T11:20:49.000-07:00
Co-Authored-By: Anders Schack-Mulligen &lt;aschackmull@users.noreply.github.com&gt;
diff --git a/java/ql/src/semmle/code/java/security/XSS.qll b/java/ql/src/semmle/code/java/security/XSS.qll
@@ -94,6 +94,9 @@ private class DefaultXssSink extends XssSink {
 private class DefaultXSSSanitizer extends XssSanitizer {
   DefaultXSSSanitizer() {
     this.getType() instanceof NumericType or this.getType() instanceof BooleanType
+    or
+    // Match `org.springframework.web.util.HtmlUtils.htmlEscape` and possibly other methods like it.
+    this.asExpr().(MethodAccess).getMethod().getName().regexpMatch("(?i)html_?escape.*")
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -94,6 +94,9 @@ private class DefaultXssSink extends XssSink {`
`94`	`94`	`private class DefaultXSSSanitizer extends XssSanitizer {`
`95`	`95`	`DefaultXSSSanitizer() {`
`96`	`96`	`this.getType() instanceof NumericType or this.getType() instanceof BooleanType`
	`97`	`+ or`
	`98`	+ // Match `org.springframework.web.util.HtmlUtils.htmlEscape` and possibly other methods like it.
	`99`	`+ this.asExpr().(MethodAccess).getMethod().getName().regexpMatch("(?i)html_?escape.*")`
`97`	`100`	`}`
`98`	`101`	`}`
`99`	`102`