Allow MaD models for XSS sinks using "html-injection" or "js-injection"

github · Aug 20, 2024 · 30f8d6e · 30f8d6e
1 parent ff242dc
commit 30f8d6e
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/go/ql/lib/semmle/go/security/Xss.qll b/go/ql/lib/semmle/go/security/Xss.qll
@@ -49,6 +49,10 @@ module SharedXss {
     override Locatable getAssociatedLoc() { result = this.getRead().getEnclosingTextNode() }
   }
 
+  private class DefaultSink extends Sink {
+    DefaultSink() { sinkNode(this, ["html-injection", "js-injection"]) }
+  }
+
   /**
    * Holds if `body` may send a response with a content type other than HTML.
    */