Abstract additional taint step

Author: rvermeulen

java/ql/src/Security/CWE/CWE-079/XSS.ql

@@ -23,6 +23,10 @@ class XSSConfig extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
 
   override predicate isSanitizer(DataFlow::Node node) { node instanceof XssSanitizer }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(XssAdditionalTaintStep s).step(node1, node2)
+  }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, XSSConfig conf

java/ql/src/semmle/code/java/security/XSS.qll

@@ -14,6 +14,20 @@ abstract class XssSink extends DataFlow::Node { }
 
 abstract class XssSanitizer extends DataFlow::Node { }
 
+/**
+ * A unit class for adding additional taint steps.
+ *
+ * Extend this class to add additional taint steps that should apply to the XSS
+ * taint configuration.
+ */
+abstract class XssAdditionalTaintStep extends TaintTracking2::Unit {
+  /**
+   * Holds if the step from `node1` to `node2` should be considered a taint
+   * step for all configurations.
+   */
+  abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
+}
+
 private class DefaultXssSink extends XssSink {
   DefaultXssSink() {
     exists(HttpServletResponseSendErrorMethod m, MethodAccess ma |