From 0bb48136841056eb161cfe1d802e29bbc33e3303 Mon Sep 17 00:00:00 2001
From: sunnyeo <psnyeo88@kaist.ac.kr>
Date: Sat, 4 Apr 2026 02:45:27 +0900
Subject: [PATCH] JavaScript: Add setHTMLUnsafe and parseHTMLUnsafe as XSS
 sinks

Add support for two new HTML Sanitizer API methods that interpret
arguments as HTML without sanitization:

- `Element.setHTMLUnsafe(html)`: Added to `interpretsArgumentsAsHtml`
  in DOM.qll, following the same pattern as `insertAdjacentHTML` and
  `document.write`. Receiver validation via `isDomNode` is inherited
  from `DomMethodCallNode`.

- `Document.parseHTMLUnsafe(html)`: Added to `HtmlParserSink` in
  DomBasedXssCustomizations.qll, following the same
  `GlobalVarRefNode` pattern as `DOMParser.parseFromString`. This
  is a static method on the `Document` class.

Both methods are part of the HTML Sanitizer API and are shipping in
browsers (Chrome 124+, Firefox 148+). Unlike their safe counterparts
(`setHTML`, `parseHTML`), these methods do not sanitize input and are
therefore XSS sinks.

References:
- https://developer.mozilla.org/en-US/docs/Web/API/Element/setHTMLUnsafe
- https://developer.mozilla.org/en-US/docs/Web/API/Document/parseHTMLUnsafe_static
---
 .../ql/lib/semmle/javascript/security/dataflow/DOM.qll       | 2 ++
 .../security/dataflow/DomBasedXssCustomizations.qll          | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/DOM.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/DOM.qll
index f959de6c0b5e..67b4ed5838d1 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/DOM.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DOM.qll
@@ -58,6 +58,8 @@ class DomMethodCallNode extends DataFlow::MethodCallNode {
       name = "createElement" and argPos = 0
       or
       name = "appendChild" and argPos = 0
+      or
+      name = "setHTMLUnsafe" and argPos = 0
     )
   }
 
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll
index b5c0be71f452..f25029640009 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll
@@ -196,6 +196,11 @@ module DomBasedXss {
         ccf.getMethodName() = "createContextualFragment" and
         this = ccf.getArgument(0)
       )
+      or
+      exists(DataFlow::GlobalVarRefNode doc |
+        doc.getName() = "Document" and
+        this = doc.getAMethodCall("parseHTMLUnsafe").getArgument(0)
+      )
     }
   }