diff --git a/ql/src/semmle/go/frameworks/Stdlib.qll b/ql/src/semmle/go/frameworks/Stdlib.qll
index 5dfd64e043e..e46e98582c3 100644
--- a/ql/src/semmle/go/frameworks/Stdlib.qll
+++ b/ql/src/semmle/go/frameworks/Stdlib.qll
@@ -27,6 +27,7 @@ import semmle.go.frameworks.stdlib.EncodingHex
 import semmle.go.frameworks.stdlib.EncodingJson
 import semmle.go.frameworks.stdlib.EncodingPem
 import semmle.go.frameworks.stdlib.EncodingXml
+import semmle.go.frameworks.stdlib.Html
 import semmle.go.frameworks.stdlib.Path
 import semmle.go.frameworks.stdlib.PathFilepath
 import semmle.go.frameworks.stdlib.Reflect
diff --git a/ql/src/semmle/go/frameworks/stdlib/Html.qll b/ql/src/semmle/go/frameworks/stdlib/Html.qll
new file mode 100644
index 00000000000..cd6ee22441c
--- /dev/null
+++ b/ql/src/semmle/go/frameworks/stdlib/Html.qll
@@ -0,0 +1,27 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `html` package.
+ */
+
+import go
+
+/** Provides models of commonly used functions in the `html` package. */
+module Html {
+  private class FunctionModels extends TaintTracking::FunctionModel {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    FunctionModels() {
+      // signature: func EscapeString(s string) string
+      hasQualifiedName("html", "EscapeString") and
+      (inp.isParameter(0) and outp.isResult())
+      or
+      // signature: func UnescapeString(s string) string
+      hasQualifiedName("html", "UnescapeString") and
+      (inp.isParameter(0) and outp.isResult())
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}
diff --git a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Html.go b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Html.go
new file mode 100644
index 00000000000..b4c1300a7d3
--- /dev/null
+++ b/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Html.go
@@ -0,0 +1,30 @@
+// Code generated by https://github.com/gagliardetto/codebox. DO NOT EDIT.
+
+package main
+
+import "html"
+
+func TaintStepTest_HtmlEscapeString_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString656 := sourceCQL.(string)
+	intoString414 := html.EscapeString(fromString656)
+	return intoString414
+}
+
+func TaintStepTest_HtmlUnescapeString_B0I0O0(sourceCQL interface{}) interface{} {
+	fromString518 := sourceCQL.(string)
+	intoString650 := html.UnescapeString(fromString518)
+	return intoString650
+}
+
+func RunAllTaints_Html() {
+	{
+		source := newSource(0)
+		out := TaintStepTest_HtmlEscapeString_B0I0O0(source)
+		sink(0, out)
+	}
+	{
+		source := newSource(1)
+		out := TaintStepTest_HtmlUnescapeString_B0I0O0(source)
+		sink(1, out)
+	}
+}