Revert "JavaScript: Improve double-escaping query"

2026-04-29 02:35:15 +02:00 · 2019-11-12 22:54:12 +00:00
parent 429c307832
commit 155cea7b5b
5 changed files with 31 additions and 194 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/DoubleEscaping.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/DoubleEscaping.expected
@@ -5,8 +5,3 @@
 | tst.js:53:10:53:33 | s.repla ... , '\\\\') | This replacement may produce '\\' characters that are double-unescaped $@. | tst.js:53:10:54:33 | s.repla ... , '\\'') | here |
 | tst.js:60:7:60:28 | s.repla ...  '%25') | This replacement may double-escape '%' characters from $@. | tst.js:59:7:59:28 | s.repla ...  '%26') | here |
 | tst.js:68:10:70:38 | s.repla ... &amp;") | This replacement may double-escape '&' characters from $@. | tst.js:68:10:69:39 | s.repla ... apos;") | here |
-| tst.js:74:10:77:10 | JSON.st ...       ) | This replacement may double-escape '\\' characters from $@. | tst.js:75:12:76:37 | s.repla ... u003E") | here |
-| tst.js:86:10:86:22 | JSON.parse(s) | This replacement may produce '\\' characters that are double-unescaped $@. | tst.js:86:10:86:47 | JSON.pa ... g, "<") | here |
-| tst.js:99:10:99:66 | s.repla ... &amp;") | This replacement may double-escape '&' characters from $@. | tst.js:99:10:99:43 | s.repla ... epl[c]) | here |
-| tst.js:107:10:107:53 | encodeD ... &amp;") | This replacement may double-escape '&' characters from $@. | tst.js:107:10:107:30 | encodeD ... otes(s) | here |
-| tst.js:115:10:115:47 | encodeQ ... &amp;") | This replacement may double-escape '&' characters from $@. | tst.js:115:10:115:24 | encodeQuotes(s) | here |
--- a/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js
@@ -69,68 +69,3 @@ function badEncode(s) {
          .replace(indirect2, "&apos;")
          .replace(indirect3, "&amp;");
 }
-
-function badEscape1(s) {
-  return JSON.stringify(
-           s.replace(/</g, "\\u003C")
-            .replace(/>/g, "\\u003E")
-         );
-}
-
-function goodEscape1(s) {
-  return JSON.stringify(s)
-             .replace(/</g, "\\u003C").replace(/>/g, "\\u003E");
-}
-
-function badUnescape2(s) {
-  return JSON.parse(s).replace(/\\u003C/g, "<").replace(/\\u003E/g, ">");
-}
-
-function goodUnescape2(s) {
-  return JSON.parse(s.replace(/\\u003C/g, "<").replace(/\\u003E/g, ">"));
-}
-
-function badEncodeWithReplacer(s) {
-  var repl = {
-    '"': "&quot;",
-    "'": "&apos;",
-    "&": "&amp;"
-  };
-  return s.replace(/["']/g, (c) => repl[c]).replace(/&/g, "&amp;");
-}
-
-function encodeDoubleQuotes(s) {
-  return s.replace(/"/g, "&quot;");
-}
-
-function badWrappedEncode(s) {
-  return encodeDoubleQuotes(s).replace(/&/g, "&amp;");
-}
-
-function encodeQuotes(s) {
-  return s.replace(/"/g, "&quot;").replace(/'/g, "&apos;");
-}
-
-function badWrappedEncode2(s) {
-  return encodeQuotes(s).replace(/&/g, "&amp;");
-}
-
-function roundtrip(s) {
-  return JSON.parse(JSON.stringify(s));
-}
-
-// dubious, but out of scope for this query
-function badRoundtrip(s) {
-  return s.replace(/\\\\/g, "\\").replace(/\\/g, "\\\\");
-}
-
-function testWithCapturedVar(x) {
-  var captured = x;
-  (function() {
-    captured = captured.replace(/\\/g, "\\\\");
-  })();
-}
-
-function cloneAndStringify(s) {
-  return JSON.stringify(JSON.parse(JSON.stringify(s)));
-}