@@ -293,6 +293,62 @@ module SqlExecution {
293293 }
294294}
295295
296+ /**
297+ * A data-flow node that escapes meta-characters, which could be used to prevent
298+ * injection attacks.
299+ *
300+ * Extend this class to refine existing API models. If you want to model new APIs,
301+ * extend `Escaping::Range` instead.
302+ */
303+ class Escaping extends DataFlow:: Node {
304+ Escaping:: Range range ;
305+
306+ Escaping ( ) { this = range }
307+
308+ /** Gets an input that will be escaped. */
309+ DataFlow:: Node getAnInput ( ) { result = range .getAnInput ( ) }
310+
311+ /** Gets the output that contains the escaped data. */
312+ DataFlow:: Node getOutput ( ) { result = range .getOutput ( ) }
313+
314+ /**
315+ * Gets the context that this function escapes for, such as `html`, or `url`.
316+ */
317+ string getKind ( ) { result = range .getKind ( ) }
318+ }
319+
320+ /** Provides a class for modeling new escaping APIs. */
321+ module Escaping {
322+ /**
323+ * A data-flow node that escapes meta-characters, which could be used to prevent
324+ * injection attacks.
325+ *
326+ * Extend this class to model new APIs. If you want to refine existing API models,
327+ * extend `Escaping` instead.
328+ */
329+ abstract class Range extends DataFlow:: Node {
330+ /** Gets an input that will be escaped. */
331+ abstract DataFlow:: Node getAnInput ( ) ;
332+
333+ /** Gets the output that contains the escaped data. */
334+ abstract DataFlow:: Node getOutput ( ) ;
335+
336+ /**
337+ * Gets the context that this function escapes for, such as `html`, or `url`.
338+ */
339+ abstract string getKind ( ) ;
340+ }
341+ }
342+
343+ /**
344+ * An escape of a string so it can be safely included in
345+ * the body of an HTML element, for example, replacing `{}` in
346+ * `<p>{}</p>`.
347+ */
348+ class HtmlEscaping extends Escaping {
349+ HtmlEscaping ( ) { range .getKind ( ) = "html" }
350+ }
351+
296352/** Provides classes for modeling HTTP-related APIs. */
297353module HTTP {
298354 import semmle.python.web.HttpConstants
0 commit comments