Merge pull request github#13549 from geoffw0/badfilter

Swift: Query for bad HTML filtering regexps

Author: geoffw0

swift/ql/src/change-notes/2023-06-23-bad-tag-filter-query.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added new query "Bad HTML filtering regexp" (`swift/bad-tag-filter`). This query finds regular expressions that match HTML tags in a way that is not robust and can easily lead to security issues.

swift/ql/src/queries/Security/CWE-116/BadTagFilter.qhelp

@@ -0,0 +1,52 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+It is possible to match some single HTML tags using regular expressions (parsing general HTML using
+regular expressions is impossible). However, if the regular expression is not written well, it might
+be possible to circumvent it. This can lead to cross-site scripting or other security issues.
+</p>
+<p>
+Some of these mistakes are caused by browsers having very forgiving HTML parsers, and
+will often render invalid HTML containing syntax errors.
+Regular expressions that attempt to match HTML should also recognize tags containing such syntax errors.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Use a well-tested sanitization or parser library if at all possible. These libraries are much more
+likely to handle corner cases correctly than a custom implementation.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example attempts to filters out all <code>&lt;script&gt;</code> tags.
+</p>
+
+<sample src="BadTagFilterBad.swift" />
+
+<p>
+The above sanitizer does not filter out all <code>&lt;script&gt;</code> tags.
+Browsers will not only accept <code>&lt;/script&gt;</code> as script end tags, but also tags such as <code>&lt;/script foo="bar"&gt;</code> even though it is a parser error.
+This means that an attack string such as <code>&lt;script&gt;alert(1)&lt;/script foo="bar"&gt;</code> will not be filtered by
+the function, and <code>alert(1)</code> will be executed by a browser if the string is rendered as HTML.
+</p>
+
+<p>
+Other corner cases include HTML comments ending with <code>--!&gt;</code>,
+and HTML tag names containing uppercase characters.
+</p>
+</example>
+
+<references>
+<li>Securitum: <a href="https://research.securitum.com/the-curious-case-of-copy-paste/">The Curious Case of Copy &amp; Paste</a>.</li>
+<li>stackoverflow.com: <a href="https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags#answer-1732454">You can't parse [X]HTML with regex</a>.</li>
+<li>HTML Standard: <a href="https://html.spec.whatwg.org/multipage/parsing.html#comment-end-bang-state">Comment end bang state</a>.</li>
+<li>stackoverflow.com: <a href="https://stackoverflow.com/questions/25559999/why-arent-browsers-strict-about-html">Why aren't browsers strict about HTML?</a></li>
+</references>
+</qhelp>

swift/ql/src/queries/Security/CWE-116/BadTagFilter.ql

@@ -0,0 +1,25 @@
+/**
+ * @name Bad HTML filtering regexp
+ * @description Matching HTML tags using regular expressions is hard to do right, and can lead to security issues.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 7.8
+ * @precision high
+ * @id swift/bad-tag-filter
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-116
+ *       external/cwe/cwe-020
+ *       external/cwe/cwe-185
+ *       external/cwe/cwe-186
+ */
+
+import codeql.swift.regex.Regex
+private import codeql.swift.regex.RegexTreeView::RegexTreeView as TreeView
+import codeql.regex.nfa.BadTagFilterQuery::Make<TreeView>
+
+from HtmlMatchingRegExp regexp, string msg
+where
+  // there might be multiple messages, we arbitrarily pick the shortest one
+  msg = min(string m | isBadRegexpFilter(regexp, m) | m order by m.length(), m)
+select regexp, msg

swift/ql/src/queries/Security/CWE-116/BadTagFilterBad.swift

@@ -0,0 +1,9 @@
+let script_tag_regex = /<script[^>]*>.*<\/script>/
+
+var old_html = ""
+while (html != old_html) {
+  old_html = html
+  html.replace(script_tag_regex, with: "")
+}
+
+...

swift/ql/test/query-tests/Security/CWE-116/BadTagFilter.expected

@@ -0,0 +1,26 @@
+| test.swift:79:26:79:48 | <script.*?>.*?<\\/script> | This regular expression does not match script end tags like </script >. |
+| test.swift:86:27:86:49 | <script.*?>.*?<\\/script> | This regular expression does not match script end tags like </script >. |
+| test.swift:90:50:90:72 | <script.*?>.*?<\\/script> | This regular expression does not match script end tags like </script >. |
+| test.swift:113:26:113:35 | <!--.*--!?> | This regular expression does not match comments containing newlines. |
+| test.swift:117:26:117:58 | <script.*?>(.\|\\s)*?<\\/script[^>]*> | This regular expression matches <script></script>, but not <script \\n></script> |
+| test.swift:121:26:121:56 | <script[^>]*?>.*?<\\/script[^>]*> | This regular expression matches <script>...</script>, but not <script >...\\n</script> |
+| test.swift:125:26:125:63 | <script(\\s\|\\w\|=\|")*?>.*?<\\/script[^>]*> | This regular expression does not match script tags where the attribute uses single-quotes. |
+| test.swift:132:28:132:65 | <script(\\s\|\\w\|=\|')*?>.*?<\\/script[^>]*> | This regular expression does not match script tags where the attribute uses double-quotes. |
+| test.swift:136:50:136:87 | <script(\\s\|\\w\|=\|')*?>.*?<\\/script[^>]*> | This regular expression does not match script tags where the attribute uses double-quotes. |
+| test.swift:143:28:143:69 | <script( \|\\n\|\\w\|=\|'\|")*?>.*?<\\/script[^>]*> | This regular expression does not match script tags where tabs are used between attributes. |
+| test.swift:147:50:147:91 | <script( \|\\n\|\\w\|=\|'\|")*?>.*?<\\/script[^>]*> | This regular expression does not match script tags where tabs are used between attributes. |
+| test.swift:154:28:154:55 | <script.*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:157:50:157:77 | <script.*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:164:28:164:73 | <(script\|SCRIPT).*?>.*?<\\/(script\|SCRIPT)[^>]*> | This regular expression does not match mixed case <sCrIpT> tags. |
+| test.swift:167:50:167:95 | <(script\|SCRIPT).*?>.*?<\\/(script\|SCRIPT)[^>]*> | This regular expression does not match mixed case <sCrIpT> tags. |
+| test.swift:174:28:174:60 | <script[^>]*?>[\\s\\S]*?<\\/script.*> | This regular expression does not match script end tags like </script\\t\\n bar>. |
+| test.swift:177:50:177:82 | <script[^>]*?>[\\s\\S]*?<\\/script.*> | This regular expression does not match script end tags like </script\\t\\n bar>. |
+| test.swift:191:27:191:68 | <(?:!--([\\S\|\\s]*?)-->)\|([^\\/\\s>]+)[\\S\\s]*?> | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 1 and comments ending with --!> are matched with capture group 2. |
+| test.swift:194:50:194:91 | <(?:!--([\\S\|\\s]*?)-->)\|([^\\/\\s>]+)[\\S\\s]*?> | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 1 and comments ending with --!> are matched with capture group 2. |
+| test.swift:198:27:198:167 | <(?:(?:\\/([^>]+)>)\|(?:!--([\\S\|\\s]*?)-->)\|(?:([^\\/\\s>]+)((?:\\s+[\\w\\-:.]+(?:\\s*=\\s*?(?:(?:"[^"]*")\|(?:'[^']*')\|[^\\s"'\\/>]+))?)*)[\\S\\s]*?(\\/?)>)) | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 2 and comments ending with --!> are matched with capture group 3, 4. |
+| test.swift:201:50:201:190 | <(?:(?:\\/([^>]+)>)\|(?:!--([\\S\|\\s]*?)-->)\|(?:([^\\/\\s>]+)((?:\\s+[\\w\\-:.]+(?:\\s*=\\s*?(?:(?:"[^"]*")\|(?:'[^']*')\|[^\\s"'\\/>]+))?)*)[\\S\\s]*?(\\/?)>)) | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 2 and comments ending with --!> are matched with capture group 3, 4. |
+| test.swift:205:51:205:84 | <script\\b[^>]*>([\\s\\S]*?)<\\/script> | This regular expression does not match script end tags like </script >. |
+| test.swift:209:51:209:104 | (<[a-z\\/!$]("[^"]*"\|'[^']*'\|[^'">])*>\|<!(--.*?--\\s*)+>) | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 3 and comments ending with --!> are matched with capture group 1. |
+| test.swift:213:51:213:293 | <(?:(?:!--([\\w\\W]*?)-->)\|(?:!\\[CDATA\\[([\\w\\W]*?)\\]\\]>)\|(?:!DOCTYPE([\\w\\W]*?)>)\|(?:\\?([^\\s\\/<>]+) ?([\\w\\W]*?)[?/]>)\|(?:\\/([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)>)\|(?:([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)((?:\\s+[^"'>]+(?:(?:"[^"]*")\|(?:'[^']*')\|[^>]*))*\|\\/\|\\s+)>)) | This regular expression only parses --> (capture group 1) and not --!> as an HTML comment end tag. |
+| test.swift:217:51:217:77 | <!--([\\w\\W]*?)-->\|<([^>]*?)> | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 1 and comments ending with --!> are matched with capture group 2. |
+| test.swift:225:51:225:52 | --> | This regular expression only parses --> and not --!> as a HTML comment end tag. |

swift/ql/test/query-tests/Security/CWE-116/BadTagFilter.qlref

@@ -0,0 +1 @@
+queries/Security/CWE-116/BadTagFilter.ql

swift/ql/test/query-tests/Security/CWE-116/test.swift

@@ -0,0 +1,231 @@
+
+// --- stubs ---
+
+struct URL {
+    init?(string: String) {}
+}
+
+extension String {
+    init(contentsOf: URL) {
+        let data = ""
+        self.init(data)
+    }
+}
+
+struct AnyRegexOutput {
+}
+
+protocol RegexComponent<RegexOutput> {
+	associatedtype RegexOutput
+}
+
+struct Regex<Output> : RegexComponent {
+	struct Match {
+	}
+
+	init(_ pattern: String) throws where Output == AnyRegexOutput { }
+
+	func ignoresCase(_ ignoresCase: Bool = true) -> Regex<Regex<Output>.RegexOutput> { return self }
+	func dotMatchesNewlines(_ dotMatchesNewlines: Bool = true) -> Regex<Regex<Output>.RegexOutput> { return self }
+
+	func firstMatch(in string: String) throws -> Regex<Output>.Match? { return nil}
+
+	typealias RegexOutput = Output
+}
+
+extension String : RegexComponent {
+	typealias Output = Substring
+	typealias RegexOutput = String.Output
+}
+
+class NSObject {
+}
+
+struct _NSRange {
+	init(location: Int, length: Int) { }
+}
+
+typealias NSRange = _NSRange
+
+func NSMakeRange(_ loc: Int, _ len: Int) -> NSRange { return NSRange(location: loc, length: len) }
+
+class NSTextCheckingResult : NSObject {
+}
+
+class NSRegularExpression : NSObject {
+	struct Options : OptionSet {
+	    var rawValue: UInt
+
+		static var caseInsensitive: NSRegularExpression.Options { get { return Options(rawValue: 1 << 0) } }
+		static var dotMatchesLineSeparators: NSRegularExpression.Options { get { return Options(rawValue: 1 << 1) } }
+	}
+
+	struct MatchingOptions : OptionSet {
+	    var rawValue: UInt
+	}
+
+	init(pattern: String, options: NSRegularExpression.Options = []) throws { }
+
+	func matches(in string: String, options: NSRegularExpression.MatchingOptions = [], range: NSRange) -> [NSTextCheckingResult] { return [] }
+	func firstMatch(in string: String, options: NSRegularExpression.MatchingOptions = [], range: NSRange) -> NSTextCheckingResult? { return nil }
+}
+
+// --- tests ---
+
+func myRegexpVariantsTests(myUrl: URL) throws {
+    let tainted = String(contentsOf: myUrl) // tainted
+
+    // BAD - doesn't match newlines or `</script >`
+    let re1 = try Regex(#"<script.*?>.*?<\/script>"#).ignoresCase(true)
+    _ = try re1.firstMatch(in: tainted)
+
+    // BAD - doesn't match `</script >` [NOT DETECTED - all regexs with mode flags are currently missed by the query]
+    let re2a = try Regex(#"(?is)<script.*?>.*?<\/script>"#)
+    _ = try re2a.firstMatch(in: tainted)
+    // BAD - doesn't match `</script >`
+    let re2b = try Regex(#"<script.*?>.*?<\/script>"#).ignoresCase(true).dotMatchesNewlines(true)
+    _ = try re2b.firstMatch(in: tainted)
+    // BAD - doesn't match `</script >`
+    let options2c: NSRegularExpression.Options = [.caseInsensitive, .dotMatchesLineSeparators]
+    let ns2c = try NSRegularExpression(pattern: #"<script.*?>.*?<\/script>"#, options: options2c)
+    _ = ns2c.firstMatch(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
+
+    // GOOD
+    let re3a = try Regex(#"(?is)<script.*?>.*?<\/script[^>]*>"#)
+    _ = try re3a.firstMatch(in: tainted)
+    // GOOD
+    let re3b = try Regex(#"<script.*?>.*?<\/script[^>]*>"#).ignoresCase(true).dotMatchesNewlines(true)
+    _ = try re3b.firstMatch(in: tainted)
+    // GOOD
+    let options3b: NSRegularExpression.Options = [.caseInsensitive, .dotMatchesLineSeparators]
+    let ns3b = try NSRegularExpression(pattern: #"<script.*?>.*?<\/script[^>]*>"#, options: options3b)
+    _ = ns3b.firstMatch(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
+
+    // GOOD - we don't care regexps that only match comments
+    let re4 = try Regex(#"<!--.*-->"#).ignoresCase(true).dotMatchesNewlines(true)
+    _ = try re4.firstMatch(in: tainted)
+
+    // GOOD
+    let re5 = try Regex(#"<!--.*--!?>"#).ignoresCase(true).dotMatchesNewlines(true)
+    _ = try re5.firstMatch(in: tainted)
+
+    // BAD, does not match newlines
+    let re6 = try Regex(#"<!--.*--!?>"#).ignoresCase(true)
+    _ = try re6.firstMatch(in: tainted)
+
+    // BAD - doesn't match newlines inside the script tag
+    let re7 = try Regex(#"<script.*?>(.|\s)*?<\/script[^>]*>"#).ignoresCase(true)
+    _ = try re7.firstMatch(in: tainted)
+
+    // BAD - doesn't match newlines inside the content
+    let re8 = try Regex(#"<script[^>]*?>.*?<\/script[^>]*>"#).ignoresCase(true)
+    _ = try re8.firstMatch(in: tainted)
+
+    // BAD - does not match single quotes for attribute values
+    let re9 = try Regex(#"<script(\s|\w|=|")*?>.*?<\/script[^>]*>"#).ignoresCase(true).dotMatchesNewlines(true)
+    _ = try re9.firstMatch(in: tainted)
+
+    // BAD - does not match double quotes for attribute values [NOT DETECTED]
+    let re10a = try Regex(#"(?is)<script(\s|\w|=|')*?>.*?<\/script[^>]*>"#)
+    _ = try re10a.firstMatch(in: tainted)
+    // BAD - does not match double quotes for attribute values
+    let re10b = try Regex(#"<script(\s|\w|=|')*?>.*?<\/script[^>]*>"#).ignoresCase(true).dotMatchesNewlines(true)
+    _ = try re10b.firstMatch(in: tainted)
+    // BAD - does not match double quotes for attribute values
+    let options10: NSRegularExpression.Options = [.caseInsensitive, .dotMatchesLineSeparators]
+    let ns10 = try NSRegularExpression(pattern: #"<script(\s|\w|=|')*?>.*?<\/script[^>]*>"#, options: options10)
+    _ = ns10.firstMatch(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
+
+    // BAD - does not match tabs between attributes [NOT DETECTED]
+    let re11a = try Regex(#"(?is)<script( |\n|\w|=|'|")*?>.*?<\/script[^>]*>"#)
+    _ = try re11a.firstMatch(in: tainted)
+    // BAD - does not match tabs between attributes
+    let re11b = try Regex(#"<script( |\n|\w|=|'|")*?>.*?<\/script[^>]*>"#).ignoresCase(true).dotMatchesNewlines(true)
+    _ = try re11b.firstMatch(in: tainted)
+    // BAD - does not match tabs between attributes
+    let options11: NSRegularExpression.Options = [.caseInsensitive, .dotMatchesLineSeparators]
+    let ns11 = try NSRegularExpression(pattern: #"<script( |\n|\w|=|'|")*?>.*?<\/script[^>]*>"#, options: options11)
+    _ = ns11.firstMatch(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
+
+    // BAD - does not match uppercase SCRIPT tags [NOT DETECTED]
+    let re12a = try Regex(#"(?s)<script.*?>.*?<\/script[^>]*>"#)
+    _ = try re12a.firstMatch(in: tainted)
+    // BAD - does not match uppercase SCRIPT tags
+    let re12b = try Regex(#"<script.*?>.*?<\/script[^>]*>"#).dotMatchesNewlines(true)
+    _ = try re12b.firstMatch(in: tainted)
+    // BAD - does not match uppercase SCRIPT tags
+    let ns12 = try NSRegularExpression(pattern: #"<script.*?>.*?<\/script[^>]*>"#, options: .dotMatchesLineSeparators)
+    _ = ns12.firstMatch(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
+
+    // BAD - does not match mixed case script tags [NOT DETECTED]
+    let re13a = try Regex(#"(?s)<(script|SCRIPT).*?>.*?<\/(script|SCRIPT)[^>]*>"#)
+    _ = try re13a.firstMatch(in: tainted)
+    // BAD - does not match mixed case script tags
+    let re13b = try Regex(#"<(script|SCRIPT).*?>.*?<\/(script|SCRIPT)[^>]*>"#).dotMatchesNewlines(true)
+    _ = try re13b.firstMatch(in: tainted)
+    // BAD - does not match mixed case script tags
+    let ns13 = try NSRegularExpression(pattern: #"<(script|SCRIPT).*?>.*?<\/(script|SCRIPT)[^>]*>"#, options: .dotMatchesLineSeparators)
+    _ = ns13.firstMatch(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
+
+    // BAD - doesn't match newlines in the end tag [NOT DETECTED]
+    let re14a = try Regex(#"(?i)<script[^>]*?>[\s\S]*?<\/script.*>"#)
+    _ = try re14a.firstMatch(in: tainted)
+    // BAD - doesn't match newlines in the end tag
+    let re14b = try Regex(#"<script[^>]*?>[\s\S]*?<\/script.*>"#).ignoresCase(true)
+    _ = try re14b.firstMatch(in: tainted)
+    // BAD - doesn't match newlines in the end tag
+    let ns14 = try NSRegularExpression(pattern: #"<script[^>]*?>[\s\S]*?<\/script.*>"#, options: .caseInsensitive)
+    _ = ns14.firstMatch(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
+
+    // GOOD
+    let re15a = try Regex(#"(?i)<script[^>]*?>[\s\S]*?<\/script[^>]*?>"#)
+    _ = try re15a.firstMatch(in: tainted)
+    // GOOD
+    let re15b = try Regex(#"<script[^>]*?>[\s\S]*?<\/script[^>]*?>"#).ignoresCase(true)
+    _ = try re15b.firstMatch(in: tainted)
+    // GOOD
+    let ns15 = try NSRegularExpression(pattern: #"<script[^>]*?>[\s\S]*?<\/script[^>]*?>"#, options: .caseInsensitive)
+    _ = ns15.firstMatch(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
+
+    // BAD - doesn't match comments with the right capture groups
+    let re16 = try Regex(#"<(?:!--([\S|\s]*?)-->)|([^\/\s>]+)[\S\s]*?>"#)
+    _ = try re16.firstMatch(in: tainted)
+    // BAD - doesn't match comments with the right capture groups
+    let ns16 = try NSRegularExpression(pattern: #"<(?:!--([\S|\s]*?)-->)|([^\/\s>]+)[\S\s]*?>"#)
+    _ = ns16.firstMatch(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
+
+    // BAD - capture groups
+    let re17 = try Regex(#"<(?:(?:\/([^>]+)>)|(?:!--([\S|\s]*?)-->)|(?:([^\/\s>]+)((?:\s+[\w\-:.]+(?:\s*=\s*?(?:(?:"[^"]*")|(?:'[^']*')|[^\s"'\/>]+))?)*)[\S\s]*?(\/?)>))"#)
+    _ = try re17.firstMatch(in: tainted)
+    // BAD - capture groups
+    let ns17 = try NSRegularExpression(pattern: #"<(?:(?:\/([^>]+)>)|(?:!--([\S|\s]*?)-->)|(?:([^\/\s>]+)((?:\s+[\w\-:.]+(?:\s*=\s*?(?:(?:"[^"]*")|(?:'[^']*')|[^\s"'\/>]+))?)*)[\S\s]*?(\/?)>))"#, options: .caseInsensitive)
+    _ = ns17.firstMatch(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
+
+    // BAD - too strict matching on the end tag
+    let ns2_1 = try NSRegularExpression(pattern: #"<script\b[^>]*>([\s\S]*?)<\/script>"#, options: .caseInsensitive)
+    _ = ns2_1.matches(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
+
+    // BAD - capture groups
+    let ns2_2 = try NSRegularExpression(pattern: #"(<[a-z\/!$]("[^"]*"|'[^']*'|[^'">])*>|<!(--.*?--\s*)+>)"#, options: .caseInsensitive)
+    _ = ns2_2.matches(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
+
+    // BAD - capture groups
+    let ns2_3 = try NSRegularExpression(pattern: #"<(?:(?:!--([\w\W]*?)-->)|(?:!\[CDATA\[([\w\W]*?)\]\]>)|(?:!DOCTYPE([\w\W]*?)>)|(?:\?([^\s\/<>]+) ?([\w\W]*?)[?/]>)|(?:\/([A-Za-z][A-Za-z0-9\-_\:\.]*)>)|(?:([A-Za-z][A-Za-z0-9\-_\:\.]*)((?:\s+[^"'>]+(?:(?:"[^"]*")|(?:'[^']*')|[^>]*))*|\/|\s+)>))"#)
+    _ = ns2_3.matches(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
+
+    // BAD - capture groups
+    let ns2_4 = try NSRegularExpression(pattern: #"<!--([\w\W]*?)-->|<([^>]*?)>"#)
+    _ = ns2_4.matches(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
+
+    // GOOD - it's used with the ignorecase flag
+    let ns2_5 = try NSRegularExpression(pattern: #"<script([^>]*)>([\S\s]*?)<\/script([^>]*)>"#, options: .caseInsensitive)
+    _ = ns2_5.matches(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
+
+    // BAD - doesn't match --!>
+    let ns2_6 = try NSRegularExpression(pattern: #"-->"#)
+    _ = ns2_6.matches(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
+
+    // GOOD
+    let ns2_7 = try NSRegularExpression(pattern: #"^>|^->|<!--|-->|--!>|<!-$"#)
+    _ = ns2_7.matches(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
+}