From 21246624b4aa1fee03b6a4088898bc35a8dbfb82 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Tue, 11 Aug 2020 15:15:39 +0200
Subject: [PATCH] Java: Add PrintWriter.format as XSS sink.

---
 java/ql/src/semmle/code/java/security/XSS.qll | 1 +
 1 file changed, 1 insertion(+)

diff --git a/java/ql/src/semmle/code/java/security/XSS.qll b/java/ql/src/semmle/code/java/security/XSS.qll
index 9f5ed3fe9d6..fd1fdcde061 100644
--- a/java/ql/src/semmle/code/java/security/XSS.qll
+++ b/java/ql/src/semmle/code/java/security/XSS.qll
@@ -97,6 +97,7 @@ class WritingMethod extends Method {
     (
       this.getName().matches("print%") or
       this.getName() = "append" or
+      this.getName() = "format" or
       this.getName() = "write"
     )
   }