From 02f353eabd29ae52dfbdc22486c7f69d25812c9f Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Wed, 21 Oct 2020 15:26:49 +0100
Subject: [PATCH] Add models for the read side of golang.org/x/net/html

This covers cases where an HTML document is retrieved and then parts of its structure are output without proper escaping.
---
 change-notes/2020-10-12-x-net-html.md    | 2 +-
 ql/src/semmle/go/frameworks/XNetHtml.qll | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/change-notes/2020-10-12-x-net-html.md b/change-notes/2020-10-12-x-net-html.md
index 485dd38971c..d0ffca3c9fa 100644
--- a/change-notes/2020-10-12-x-net-html.md
+++ b/change-notes/2020-10-12-x-net-html.md
@@ -1,2 +1,2 @@
 lgtm,codescanning
-* Added partial support for the `golang.org/x/net/html` package, modelling tainted data flow from a retrieved HTML document to its attributes and other data.
+* Added partial support for the `golang.org/x/net/html` package, modeling tainted data flow from a retrieved HTML document to its attributes and other data.
diff --git a/ql/src/semmle/go/frameworks/XNetHtml.qll b/ql/src/semmle/go/frameworks/XNetHtml.qll
index 18548c5dced..096b3e847e2 100644
--- a/ql/src/semmle/go/frameworks/XNetHtml.qll
+++ b/ql/src/semmle/go/frameworks/XNetHtml.qll
@@ -30,6 +30,10 @@ module XNetHtml {
             "NewTokenizer", "NewTokenizerFragment"] and
       input.isParameter(0) and
       output.isResult(0)
+      or
+      getName() = ["AppendChild", "InsertBefore"] and
+      input.isParameter(0) and
+      output.isReceiver()
     }
   }