From dc95902e56b4917417fdc2eca03b8cb1a9b2a168 Mon Sep 17 00:00:00 2001
From: Slavomir <gagliardetto@users.noreply.github.com>
Date: Thu, 1 Apr 2021 15:50:25 +0300
Subject: [PATCH] Apply suggestions from code review

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../CWE-79/HTMLTemplateEscapingPassthrough.qhelp          | 2 +-
 .../CWE-79/HTMLTemplateEscapingPassthrough.ql             | 8 +++-----
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.qhelp b/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.qhelp
index ec406bdc198..a842a685f23 100755
--- a/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.qhelp
+++ b/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.qhelp
@@ -8,7 +8,7 @@
 			that allow values to be rendered as-is in the template, avoiding the escaping that all the other strings go
 			through.
 		</p>
-		<p>Using them on user-provided values will result in an XSS.</p>
+		<p>Using them on user-provided values will result in an opportunity for XSS.</p>
 	</overview>
 	<recommendation>
 		<p>
diff --git a/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql b/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql
index 3cef4f1e035..9b0c37676ab 100755
--- a/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql
+++ b/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql
@@ -42,10 +42,9 @@ class PassthroughTypeName extends string {
  * output of the templates.
  */
 class FlowConfFromUntrustedToPassthroughTypeConversion extends TaintTracking::Configuration {
-  string dstTypeName;
+  PassthroughTypeName dstTypeName;
 
   FlowConfFromUntrustedToPassthroughTypeConversion() {
-    dstTypeName instanceof PassthroughTypeName and
     this = "UntrustedToConversion" + dstTypeName
   }
 
@@ -105,11 +104,10 @@ class FlowConfPassthroughTypeConversionToTemplateExecutionCall extends TaintTrac
     isSourceConversionToPassthroughType(source, _)
   }
 
-  private predicate isSourceConversionToPassthroughType(DataFlow::TypeCastNode source, string name) {
+  private predicate isSourceConversionToPassthroughType(DataFlow::TypeCastNode source, PassthroughTypeName name) {
     exists(Type typ |
       typ = source.getResultType() and
-      typ.getUnderlyingType*().hasQualifiedName("html/template", name) and
-      name instanceof PassthroughTypeName
+      typ.getUnderlyingType*().hasQualifiedName("html/template", name)
     )
   }