From 6f5f1c4829810cfad04fe3620e05df70a361d16a Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Mon, 15 Feb 2021 14:07:10 +0000 Subject: [PATCH 1/2] Add missing change notes --- change-notes/2021-02-09-html-templates.md | 3 +++ change-notes/2021-02-10-cfg-equality-panic-edges.md | 2 ++ 2 files changed, 5 insertions(+) create mode 100644 change-notes/2021-02-09-html-templates.md create mode 100644 change-notes/2021-02-10-cfg-equality-panic-edges.md diff --git a/change-notes/2021-02-09-html-templates.md b/change-notes/2021-02-09-html-templates.md new file mode 100644 index 00000000000..02446038162 --- /dev/null +++ b/change-notes/2021-02-09-html-templates.md @@ -0,0 +1,3 @@ +lgtm,codescanning +* Improved our modelling of Go's builtin `html/template` package to understand that these templates provide context-sensitive escaping of HTML and Javascript special characters. This may reduce false-positive seen by the `go/reflected-xss` query, as well as other queries for which HTML escaping is relevant. + diff --git a/change-notes/2021-02-10-cfg-equality-panic-edges.md b/change-notes/2021-02-10-cfg-equality-panic-edges.md new file mode 100644 index 00000000000..4a4e41b89ae --- /dev/null +++ b/change-notes/2021-02-10-cfg-equality-panic-edges.md @@ -0,0 +1,2 @@ +lgtm,codescanning +* Improved the Go control-flow graph to exclude more edges representing panics due to comparisons when the types of the compared values indicate a panic is impossible (for example, comparing integers cannot panic). This may reduce false-positives or false-negatives for any query for which control-flow is relevant. From 95008d1ccb9208b08201958f2dc712d1cb73b7d3 Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Mon, 15 Feb 2021 14:39:24 +0000 Subject: [PATCH 2/2] Update change-notes/2021-02-09-html-templates.md Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com> --- change-notes/2021-02-09-html-templates.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/change-notes/2021-02-09-html-templates.md b/change-notes/2021-02-09-html-templates.md index 02446038162..d742ea4630e 100644 --- a/change-notes/2021-02-09-html-templates.md +++ b/change-notes/2021-02-09-html-templates.md @@ -1,3 +1,2 @@ lgtm,codescanning -* Improved our modelling of Go's builtin `html/template` package to understand that these templates provide context-sensitive escaping of HTML and Javascript special characters. This may reduce false-positive seen by the `go/reflected-xss` query, as well as other queries for which HTML escaping is relevant. - +* Improved our modeling of Go's builtin `html/template` package to understand that these templates provide context-sensitive escaping of HTML and Javascript special characters. This may reduce false-positives seen by the `go/reflected-xss` query, as well as other queries for which HTML escaping is relevant.