Skip to content

JavaScript: Add setHTMLUnsafe and parseHTMLUnsafe as XSS sinks #21648

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sunnyeo wants to merge 1 commit into
base: main
Choose a base branch
from
Open

JavaScript: Add setHTMLUnsafe and parseHTMLUnsafe as XSS sinks #21648

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
JavaScript: Add setHTMLUnsafe and parseHTMLUnsafe as XSS sinks 
Add support for two new HTML Sanitizer API methods that interpret
arguments as HTML without sanitization:

- `Element.setHTMLUnsafe(html)`: Added to `interpretsArgumentsAsHtml`
  in DOM.qll, following the same pattern as `insertAdjacentHTML` and
  `document.write`. Receiver validation via `isDomNode` is inherited
  from `DomMethodCallNode`.

- `Document.parseHTMLUnsafe(html)`: Added to `HtmlParserSink` in
  DomBasedXssCustomizations.qll, following the same
  `GlobalVarRefNode` pattern as `DOMParser.parseFromString`. This
  is a static method on the `Document` class.

Both methods are part of the HTML Sanitizer API and are shipping in
browsers (Chrome 124+, Firefox 148+). Unlike their safe counterparts
(`setHTML`, `parseHTML`), these methods do not sanitize input and are
therefore XSS sinks.

References:
- https://developer.mozilla.org/en-US/docs/Web/API/Element/setHTMLUnsafe
- https://developer.mozilla.org/en-US/docs/Web/API/Document/parseHTMLUnsafe_static
  • Loading branch information
@sunnyeo
sunnyeo committed Apr 3, 2026
commit 0bb48136841056eb161cfe1d802e29bbc33e3303
2 changes: 2 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/DOM.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,8 @@ class DomMethodCallNode extends DataFlow::MethodCallNode {
name = "createElement" and argPos = 0
or
name = "appendChild" and argPos = 0
or
name = "setHTMLUnsafe" and argPos = 0
)
}

Expand Down
5 changes: 5 additions & 0 deletions javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,11 @@ module DomBasedXss {
ccf.getMethodName() = "createContextualFragment" and
this = ccf.getArgument(0)
)
or
exists(DataFlow::GlobalVarRefNode doc |
doc.getName() = "Document" and
this = doc.getAMethodCall("parseHTMLUnsafe").getArgument(0)
)
}
}

Expand Down
Loading