Feedback, Format, Add Change Notes

2026-04-24 16:25:15 +02:00 · 2023-08-28 14:15:21 -07:00
parent 8960453662
commit 29e14f7d8d
2 changed files with 11 additions and 6 deletions
--- a/go/ql/lib/change-notes/2023-08-28--add-error-sanitizer-for-xss.md
+++ b/go/ql/lib/change-notes/2023-08-28--add-error-sanitizer-for-xss.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added [http.Error](https://pkg.go.dev/net/http#Error) to XSS sanitzers.
--- a/go/ql/lib/semmle/go/security/Xss.qll
+++ b/go/ql/lib/semmle/go/security/Xss.qll
@@ -108,13 +108,16 @@ module SharedXss {
      )
    }
  }
-/**
- * A http.Error function returns with the ContentType of text/plain, and is not a valid XSS sink
- */
-  class ErrorSanitizer extends Sanitizer{
+
+  /**
+   * A http.Error function returns with the ContentType of text/plain, and is not a valid XSS sink
+   */
+  class ErrorSanitizer extends Sanitizer {
    ErrorSanitizer() {
-    exists(Function f, DataFlow::CallNode call | f = call.getCall().getTarget() | f.hasQualifiedName("net/http", "Error")
-    and call.getArgument(1) = this)
+      exists(Function f, DataFlow::CallNode call | call = f.getACall() |
+        f.hasQualifiedName("net/http", "Error") and
+        call.getArgument(1) = this
+      )
    }
  }