jorgectf
diff --git a/‎java/change-notes/2021-07-01-spring-webutil.md
Lines changed: 4 additions & 0 deletions b/‎java/change-notes/2021-07-01-spring-webutil.md
Lines changed: 4 additions & 0 deletions
diff --git a/‎java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
Lines changed: 1 addition & 0 deletions b/‎java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
Lines changed: 1 addition & 0 deletions
diff --git a/‎java/ql/src/semmle/code/java/frameworks/spring/Spring.qll
Lines changed: 1 addition & 0 deletions b/‎java/ql/src/semmle/code/java/frameworks/spring/Spring.qll
Lines changed: 1 addition & 0 deletions
diff --git a/‎java/ql/src/semmle/code/java/frameworks/spring/SpringWebUtil.qll
Lines changed: 176 additions & 0 deletions b/‎java/ql/src/semmle/code/java/frameworks/spring/SpringWebUtil.qll
Lines changed: 176 additions & 0 deletions
diff --git a/‎java/ql/src/semmle/code/java/security/XSS.qll
Lines changed: 4 additions & 1 deletion b/‎java/ql/src/semmle/code/java/security/XSS.qll
Lines changed: 4 additions & 1 deletion
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* Additional flow steps in the `org.springframework.web.util` package of the Spring framework have
+  been modelled.  This may result in additional results for security queries on projects using this
+  framework.
@@ -95,6 +95,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.spring.SpringWebClient
   private import semmle.code.java.frameworks.spring.SpringBeans
   private import semmle.code.java.frameworks.spring.SpringWebMultipart
+  private import semmle.code.java.frameworks.spring.SpringWebUtil
   private import semmle.code.java.security.ResponseSplitting
   private import semmle.code.java.security.InformationLeak
   private import semmle.code.java.security.GroovyInjection
 
@@ -39,6 +39,7 @@ import semmle.code.java.frameworks.spring.SpringUtil
 import semmle.code.java.frameworks.spring.SpringValidation
 import semmle.code.java.frameworks.spring.SpringValue
 import semmle.code.java.frameworks.spring.SpringWebMultipart
+import semmle.code.java.frameworks.spring.SpringWebUtil
 import semmle.code.java.frameworks.spring.SpringXMLElement
 import semmle.code.java.frameworks.spring.metrics.MetricSpringBean
 import semmle.code.java.frameworks.spring.metrics.MetricSpringBeanFile
@@ -93,7 +93,10 @@ private class DefaultXssSink extends XssSink {
 /** A default sanitizer that considers numeric and boolean typed data safe for writing to output. */
 private class DefaultXSSSanitizer extends XssSanitizer {
   DefaultXSSSanitizer() {
-    this.getType() instanceof NumericType or this.getType() instanceof BooleanType
+    this.getType() instanceof NumericType or
+    this.getType() instanceof BooleanType or
+    // Match `org.springframework.web.util.HtmlUtils.htmlEscape` and possibly other methods like it.
+    this.asExpr().(MethodAccess).getMethod().getName().regexpMatch("(?i)html_?escape.*")
   }
 }
Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,10 @@ private class DefaultXssSink extends XssSink {`
`93`	`93`	`/** A default sanitizer that considers numeric and boolean typed data safe for writing to output. */`
`94`	`94`	`private class DefaultXSSSanitizer extends XssSanitizer {`
`95`	`95`	`DefaultXSSSanitizer() {`
`96`		`- this.getType() instanceof NumericType or this.getType() instanceof BooleanType`
	`96`	`+ this.getType() instanceof NumericType or`
	`97`	`+ this.getType() instanceof BooleanType or`
	`98`	+ // Match `org.springframework.web.util.HtmlUtils.htmlEscape` and possibly other methods like it.
	`99`	`+ this.asExpr().(MethodAccess).getMethod().getName().regexpMatch("(?i)html_?escape.*")`
`97`	`100`	`}`
`98`	`101`	`}`
`99`	`102`