Convert xss sanitizer to MaD

2026-02-12 05:01:06 +01:00 · 2025-12-16 17:16:52 +00:00
parent 1e6410804f
commit 1e18fce300
2 changed files with 5 additions and 8 deletions
--- a/go/ql/lib/ext/github.com.beego.beego.server.web.model.yml
+++ b/go/ql/lib/ext/github.com.beego.beego.server.web.model.yml
@@ -50,3 +50,8 @@ extensions:
      - ["group:beego", "Controller", True, "GetString", "", "", "ReturnValue[0]", "remote", "manual"]
      - ["group:beego", "Controller", True, "GetStrings", "", "", "ReturnValue[0]", "remote", "manual"]
      - ["group:beego", "Controller", True, "Input", "", "", "ReturnValue[0]", "remote", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: barrierModel
+    data:
+      - ["group:beego", "", True, "Htmlquote", "", "", "ReturnValue", "html-injection", "manual"]
--- a/go/ql/lib/semmle/go/frameworks/Beego.qll
+++ b/go/ql/lib/semmle/go/frameworks/Beego.qll
@@ -165,14 +165,6 @@ module Beego {
    override string getAContentType() { none() }
  }

-  private class HtmlQuoteSanitizer extends SharedXss::Sanitizer {
-    HtmlQuoteSanitizer() {
-      exists(DataFlow::CallNode c | c.getTarget().hasQualifiedName(packagePath(), "Htmlquote") |
-        this = c.getArgument(0)
-      )
-    }
-  }
-
  private class UtilsTaintPropagators extends TaintTracking::FunctionModel {
    UtilsTaintPropagators() { this.hasQualifiedName(utilsPackagePath(), "GetDisplayString") }