From 43cfa2f8bdd46c4efb0d739b09bfe953781c1575 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Thu, 25 Jun 2026 16:42:20 +0200 Subject: [PATCH] C#: Remove [[ style links from XSS sink explanation Remove the makeUrl predicate and the [[""|""]]] link syntax from AspxCodeSink.explanation(), replacing with plain text. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../code/csharp/security/dataflow/XSSSinks.qll | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSSinks.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSSinks.qll index 4e908bf5dfec..fede4750c0ff 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSSinks.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSSinks.qll @@ -186,13 +186,6 @@ private Expr aspWrittenValue(AspInlineMember m) { m.getMember().(Callable).canReturn(result) } -private string makeUrl(Location l) { - exists(string path, int sl, int sc, int el, int ec | - l.hasLocationInfo(path, sl, sc, el, ec) and - result = "file://" + path + ":" + sl + ":" + sc + ":" + el + ":" + ec - ) -} - /** * A sink for writes to properties that are accessed in ASP pages. * @@ -208,10 +201,7 @@ private class AspxCodeSink extends Sink { AspxCodeSink() { this.getExpr() = aspWrittenValue(inline) } - override string explanation() { - result = - "member is [[\"accessed inline\"|\"" + makeUrl(inline.getLocation()) + "\"]] in an ASPX page" - } + override string explanation() { result = "member is accessed inline in an ASPX page" } } /** A sink for the output stream associated with a `HttpListenerResponse`. */