Deprecate previous version

2026-04-29 02:35:15 +02:00 · 2022-10-11 12:40:32 +02:00
parent 5c412b9363
commit 2a1b2db4c3
1 changed files with 24 additions and 1 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll
@@ -28,6 +28,19 @@ module ReflectedXss {
    HttpResponseSink() { not exists(getAXssSafeHeaderDefinition(this)) }
  }

+  /**
+   * DEPRECATED: Gets a HeaderDefinition that defines a XSS safe content-type for `send`.
+   */
+  deprecated Http::HeaderDefinition getANonHtmlHeaderDefinition(Http::ResponseSendArgument send) {
+    exists(Http::RouteHandler h |
+      send.getRouteHandler() = h and
+      result = xssSafeContentTypeHeader(h)
+    |
+      // The HeaderDefinition affects a response sent at `send`.
+      headerAffects(result, send)
+    )
+  }
+
  /**
   * Gets a HeaderDefinition that defines a XSS safe content-type for `send`.
   */
@@ -42,7 +55,7 @@ module ReflectedXss {
  }

  /**
-   * A content-type that may lead to javascript code being executed in the browser.
+   * Gets a content-type that may lead to javascript code being executed in the browser.
   * ref: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#content-types
   */
  string xssUnsafeContentType() {
@@ -54,6 +67,16 @@ module ReflectedXss {
      ]
  }

+  /**
+   * DEPRECATED: Holds if `h` may send a response with a content type that is safe for XSS.
+   */
+  deprecated Http::HeaderDefinition nonHtmlContentTypeHeader(Http::RouteHandler h) {
+    result = h.getAResponseHeader("content-type") and
+    not exists(string tp | result.defines("content-type", tp) |
+      tp.toLowerCase().matches(xssUnsafeContentType() + "%")
+    )
+  }
+
  /**
   * Holds if `h` may send a response with a content type that is safe for XSS.
   */