Feedback, Format, Add Change Notes

Author: Kwstubbs

go/ql/lib/change-notes/2023-08-28--add-error-sanitizer-for-xss.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added [http.Error](https://pkg.go.dev/net/http#Error) to XSS sanitzers.

go/ql/lib/semmle/go/security/Xss.qll

@@ -108,13 +108,16 @@ module SharedXss {
       )
     }
   }
-/**
- * A http.Error function returns with the ContentType of text/plain, and is not a valid XSS sink
- */
-  class ErrorSanitizer extends Sanitizer{
+
+  /**
+   * A http.Error function returns with the ContentType of text/plain, and is not a valid XSS sink
+   */
+  class ErrorSanitizer extends Sanitizer {
     ErrorSanitizer() {
-    exists(Function f, DataFlow::CallNode call | f = call.getCall().getTarget() | f.hasQualifiedName("net/http", "Error")
-    and call.getArgument(1) = this)
+      exists(Function f, DataFlow::CallNode call | call = f.getACall() |
+        f.hasQualifiedName("net/http", "Error") and
+        call.getArgument(1) = this
+      )
     }
   }