sobelow does not analyse sigil_H

[marcandre]

While sobelow analyses .heex templates, it seems it ignores completely HEEX templates using ~H"...".

For some tests, in particular XSS, this is a critical issue.

[houllette]

Interesting! Thanks for the find - I'll need to dig a bit deeper into this feature add, because existing .heex support like you linked is all based around reading entire template files and not strings within .ex files. Therefore it wouldn't be simply a matter of adjusting the existing rule, but more than likely creating a brand new rule or revamping the existing one to also consider .ex files with ~H"...".

To be honest, I'm also not sure Sobelow currently identifies / pulls out sigils in any sort of way - so I would need to look into that before confirming how difficult an adjustment this is. But this is still a great callout to improve detections!