hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

ReflectedXss: Allow regexp to match newlines

Browse Source
This commit is contained in:
Sauyon Lee
2020-06-16 00:43:12 -07:00
parent f11b956583
commit 1853e990a3
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ql/src/semmle/go/security/ReflectedXssCustomizations.qll
View File

@@ -67,12 +67,12 @@ module ReflectedXss {
// checks that the format value does not start with:
// - '<', which could lead to an HTML content type being detected, or
// - '%', which could be a format string.
call.getArgument(1).getStringValue().regexpMatch("^[^<%].*")
call.getArgument(1).getStringValue().regexpMatch("(?s)^[^<%].*")
)
or
exists(DataFlow::Node pred | body = pred.getASuccessor*() |
// data starting with a character other than `<` cannot cause an HTML content type to be detected.
pred.getStringValue().regexpMatch("^[^<].*")
pred.getStringValue().regexpMatch("(?s)^[^<].*")
or
// json data cannot begin with `<`
exists(EncodingJson::MarshalFunction mf | pred = mf.getOutput().getNode(mf.getACall()))