microsoft
diff --git a/‎go/ql/lib/semmle/go/security/Xss.qll
Lines changed: 16 additions & 0 deletions b/‎go/ql/lib/semmle/go/security/Xss.qll
Lines changed: 16 additions & 0 deletions
diff --git a/‎go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql
Lines changed: 5 additions & 5 deletions b/‎go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql
Lines changed: 5 additions & 5 deletions
@@ -127,4 +127,20 @@ module SharedXss {
       )
     }
   }
+
+  /**
+   * A `Template` from `html/template` will HTML-escape data automatically
+   * and therefore acts as a sanitizer for XSS vulnerabilities.
+   */
+  class HtmlTemplateSanitizer extends Sanitizer, DataFlow::Node {
+    HtmlTemplateSanitizer() {
+      exists(Method m, DataFlow::CallNode call | m = call.getCall().getTarget() |
+        m.hasQualifiedName("html/template", "Template", "ExecuteTemplate") and
+        call.getArgument(2) = this
+        or
+        m.hasQualifiedName("html/template", "Template", "Execute") and
+        call.getArgument(1) = this
+      )
+    }
+  }
 }
@@ -64,6 +64,10 @@ class FlowConfFromUntrustedToPassthroughTypeConversion extends TaintTracking::Co
   }
 
   override predicate isSink(DataFlow::Node sink) { isSinkToPassthroughType(sink, dstTypeName) }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer instanceof SharedXss::Sanitizer or sanitizer.getType() instanceof NumericType
+  }
 }
 
 /**
@@ -100,7 +104,7 @@ class FlowConfPassthroughTypeConversionToTemplateExecutionCall extends TaintTrac
   PassthroughTypeName getDstTypeName() { result = dstTypeName }
 
   override predicate isSource(DataFlow::Node source) {
-    isSourceConversionToPassthroughType(source, _)
+    isSourceConversionToPassthroughType(source, dstTypeName)
   }
 
   private predicate isSourceConversionToPassthroughType(
@@ -141,10 +145,6 @@ class FlowConfFromUntrustedToTemplateExecutionCall extends TaintTracking::Config
   override predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
 
   override predicate isSink(DataFlow::Node sink) { isSinkToTemplateExec(sink, _) }
-
-  override predicate isSanitizer(DataFlow::Node sanitizer) {
-    sanitizer instanceof SharedXss::Sanitizer or sanitizer.getType() instanceof NumericType
-  }
 }
 
 /**
Original file line number	Diff line number	Diff line change
`@@ -127,4 +127,20 @@ module SharedXss {`
`127`	`127`	`)`
`128`	`128`	`}`
`129`	`129`	`}`
	`130`	`+`
	`131`	`+ /**`
	`132`	+ * A `Template` from `html/template` will HTML-escape data automatically
	`133`	`+ * and therefore acts as a sanitizer for XSS vulnerabilities.`
	`134`	`+ */`
	`135`	`+ class HtmlTemplateSanitizer extends Sanitizer, DataFlow::Node {`
	`136`	`+ HtmlTemplateSanitizer() {`
	`137`	`+ exists(Method m, DataFlow::CallNode call \| m = call.getCall().getTarget() \|`
	`138`	`+ m.hasQualifiedName("html/template", "Template", "ExecuteTemplate") and`
	`139`	`+ call.getArgument(2) = this`
	`140`	`+ or`
	`141`	`+ m.hasQualifiedName("html/template", "Template", "Execute") and`
	`142`	`+ call.getArgument(1) = this`
	`143`	`+ )`
	`144`	`+ }`
	`145`	`+ }`
`130`	`146`	`}`
Original file line number	Diff line number	Diff line change
`@@ -64,6 +64,10 @@ class FlowConfFromUntrustedToPassthroughTypeConversion extends TaintTracking::Co`
`64`	`64`	`}`
`65`	`65`
`66`	`66`	`override predicate isSink(DataFlow::Node sink) { isSinkToPassthroughType(sink, dstTypeName) }`
	`67`	`+`
	`68`	`+ override predicate isSanitizer(DataFlow::Node sanitizer) {`
	`69`	`+ sanitizer instanceof SharedXss::Sanitizer or sanitizer.getType() instanceof NumericType`
	`70`	`+ }`
`67`	`71`	`}`
`68`	`72`
`69`	`73`	`/**`
`@@ -100,7 +104,7 @@ class FlowConfPassthroughTypeConversionToTemplateExecutionCall extends TaintTrac`
`100`	`104`	`PassthroughTypeName getDstTypeName() { result = dstTypeName }`
`101`	`105`
`102`	`106`	`override predicate isSource(DataFlow::Node source) {`
`103`		`- isSourceConversionToPassthroughType(source, _)`
	`107`	`+ isSourceConversionToPassthroughType(source, dstTypeName)`
`104`	`108`	`}`
`105`	`109`
`106`	`110`	`private predicate isSourceConversionToPassthroughType(`
`@@ -141,10 +145,6 @@ class FlowConfFromUntrustedToTemplateExecutionCall extends TaintTracking::Config`
`141`	`145`	`override predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }`
`142`	`146`
`143`	`147`	`override predicate isSink(DataFlow::Node sink) { isSinkToTemplateExec(sink, _) }`
`144`		`-`
`145`		`- override predicate isSanitizer(DataFlow::Node sanitizer) {`
`146`		`- sanitizer instanceof SharedXss::Sanitizer or sanitizer.getType() instanceof NumericType`
`147`		`- }`
`148`	`148`	`}`
`149`	`149`
`150`	`150`	`/**`