Add sanitizer to remove http.Error sink

Author: Kwstubbs

go/ql/lib/semmle/go/security/Xss.qll

@@ -108,6 +108,15 @@ module SharedXss {
       )
     }
   }
+/**
+ * A http.Error function returns with the ContentType of text/plain, and is not a valid XSS sink
+ */
+  class ErrorSanitizer extends Sanitizer{
+    ErrorSanitizer() {
+    exists(Function f, DataFlow::CallNode call | f = call.getCall().getTarget() | f.hasQualifiedName("net/http", "Error")
+    and call.getArgument(1) = this)
+    }
+  }
 
   /**
    * A regexp replacement involving an HTML meta-character, or a call to an escape

go/ql/test/query-tests/Security/CWE-079/reflectedxsstest.go

@@ -25,9 +25,9 @@ func ServeJsonDirect(w http.ResponseWriter, r http.Request) {
 
 func ErrTest(w http.ResponseWriter, r http.Request) {
 	cookie, err := r.Cookie("somecookie")
-	w.Write([]byte(fmt.Sprintf("Cookie result: %v", cookie)))   // BAD: Cookie's value is user-controlled
-	w.Write([]byte(fmt.Sprintf("Cookie check error: %v", err))) // GOOD: Cookie's err return is harmless
-
+	w.Write([]byte(fmt.Sprintf("Cookie result: %v", cookie)))    // BAD: Cookie's value is user-controlled
+	w.Write([]byte(fmt.Sprintf("Cookie check error: %v", err)))  // GOOD: Cookie's err return is harmless
+	http.Error(w, fmt.Sprintf("Cookie result: %v", cookie), 500) // Good: only plain text is written.
 	file, header, err := r.FormFile("someFile")
 	content, err2 := ioutil.ReadAll(file)
 	w.Write([]byte(fmt.Sprintf("File content: %v", content)))      // BAD: file content is user-controlled