github
diff --git a/‎go/ql/lib/semmle/go/security/Xss.qll
Copy file name to clipboardExpand all lines: go/ql/lib/semmle/go/security/Xss.qll
+16Lines changed: 16 additions & 0 deletions b/‎go/ql/lib/semmle/go/security/Xss.qll
Copy file name to clipboardExpand all lines: go/ql/lib/semmle/go/security/Xss.qll
+16Lines changed: 16 additions & 0 deletions
diff --git a/‎go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql
Copy file name to clipboardExpand all lines: go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql
+5-5Lines changed: 5 additions & 5 deletions b/‎go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql
Copy file name to clipboardExpand all lines: go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql
+5-5Lines changed: 5 additions & 5 deletions
@@ -127,4 +127,20 @@ module SharedXss {
       )
     }
   }
+
+  /**
+   * A `Template` from `html/template` will HTML-escape data automatically
+   * and therefore acts as a sanitizer for XSS vulnerabilities.
+   */
+  class HtmlTemplateSanitizer extends Sanitizer, DataFlow::Node {
+    HtmlTemplateSanitizer() {
+      exists(Method m, DataFlow::CallNode call | m = call.getCall().getTarget() |
+        m.hasQualifiedName("html/template", "Template", "ExecuteTemplate") and
+        call.getArgument(2) = this
+        or
+        m.hasQualifiedName("html/template", "Template", "Execute") and
+        call.getArgument(1) = this
+      )
+    }
+  }
 }
@@ -64,6 +64,10 @@ class FlowConfFromUntrustedToPassthroughTypeConversion extends TaintTracking::Co
   }
 
   override predicate isSink(DataFlow::Node sink) { isSinkToPassthroughType(sink, dstTypeName) }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer instanceof SharedXss::Sanitizer or sanitizer.getType() instanceof NumericType
+  }
 }
 
 /**
@@ -100,7 +104,7 @@ class FlowConfPassthroughTypeConversionToTemplateExecutionCall extends TaintTrac
   PassthroughTypeName getDstTypeName() { result = dstTypeName }
 
   override predicate isSource(DataFlow::Node source) {
-    isSourceConversionToPassthroughType(source, _)
+    isSourceConversionToPassthroughType(source, dstTypeName)
   }
 
   private predicate isSourceConversionToPassthroughType(
@@ -141,10 +145,6 @@ class FlowConfFromUntrustedToTemplateExecutionCall extends TaintTracking::Config
   override predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
 
   override predicate isSink(DataFlow::Node sink) { isSinkToTemplateExec(sink, _) }
-
-  override predicate isSanitizer(DataFlow::Node sanitizer) {
-    sanitizer instanceof SharedXss::Sanitizer or sanitizer.getType() instanceof NumericType
-  }
 }
 
 /**
Original file line number	Diff line number	Diff line change
`@@ -127,4 +127,20 @@ module SharedXss {`
`127`	`127`	`)`
`128`	`128`	`}`
`129`	`129`	`}`
	`130`	`+`
	`131`	`+ /**`
	`132`	+ * A `Template` from `html/template` will HTML-escape data automatically
	`133`	`+ * and therefore acts as a sanitizer for XSS vulnerabilities.`
	`134`	`+ */`
	`135`	`+ class HtmlTemplateSanitizer extends Sanitizer, DataFlow::Node {`
	`136`	`+ HtmlTemplateSanitizer() {`
	`137`	`+ exists(Method m, DataFlow::CallNode call \| m = call.getCall().getTarget() \|`
	`138`	`+ m.hasQualifiedName("html/template", "Template", "ExecuteTemplate") and`
	`139`	`+ call.getArgument(2) = this`
	`140`	`+ or`
	`141`	`+ m.hasQualifiedName("html/template", "Template", "Execute") and`
	`142`	`+ call.getArgument(1) = this`
	`143`	`+ )`
	`144`	`+ }`
	`145`	`+ }`
`130`	`146`	`}`