codeql icon indicating copy to clipboard operation
codeql copied to clipboard
verified publisher icon github

General issue: CWE-116 not reported for unescaped XML output in JavaScript/TypeScript

Open aniakowalewska1 opened this issue 4 weeks ago • 1 comments

Description CodeQL security scan did not recognise the CWE-116 (Improper Encoding or Escaping of Output) in a Sitemap.xml.ts file when unescaped values are embedded into XML output.

Example A sitemap is generated dynamically by interpolating application-derived values into XML elements:

function generateSitemap(entries: string[]) {
  return `<?xml version="1.0" encoding="UTF-8"?>
<urlset>
  ${entries.map(path => `
    <url>
      <loc>${BASE_URL}/${path}</loc>
    </url>
  `).join("")}
</urlset>`;
}

Values here are embedded directly into XML elements without escaping.

Question I would like to understand whether this pattern is currently not covered by the JavaScript/TypeScript analysis, or whether the scanning logic intentionally determines that this does not constitute a CWE-116 weakness when generating XML output such as a sitemap.

aniakowalewska1 avatar Dec 12 '25 09:12 aniakowalewska1

I don't think we currently have a query for detecting this.

hvitved avatar Dec 12 '25 10:12 hvitved