Merge pull request #17260 from owen-mc/go/mad/convert-sink-5

Go: Allow MaD models for XSS sinks using "html-injection" or "js-injection"
github · Aug 20, 2024 · f0fe3a3 · f0fe3a3
2 parents 8b4e060 + 30f8d6e
commit f0fe3a3
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/go/ql/lib/semmle/go/security/Xss.qll b/go/ql/lib/semmle/go/security/Xss.qll
@@ -49,6 +49,10 @@ module SharedXss {
     override Locatable getAssociatedLoc() { result = this.getRead().getEnclosingTextNode() }
   }
 
+  private class DefaultSink extends Sink {
+    DefaultSink() { sinkNode(this, ["html-injection", "js-injection"]) }
+  }
+
   /**
    * Holds if `body` may send a response with a content type other than HTML.
    */