Added a test case where useFragment from react-relay should be marked as a source but isn't

2026-04-29 02:35:15 +02:00 · 2025-02-25 12:10:56 +01:00
parent cc5179a35e
commit 1e3b8625e6
1 changed files with 22 additions and 0 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx
@@ -0,0 +1,22 @@
+import React from 'react';
+import { useFragment } from 'react-relay';
+
+const CommentComponent = ({ commentRef }) => {
+  const commentData = useFragment(
+    graphql`
+      fragment CommentComponent_comment on Comment {
+        id
+        text
+      }
+    `,
+    commentRef
+  ); // $ MISSING: Source=[js/xss]
+
+  return (
+    <div>
+      <h3>Comment:</h3>
+      {/* Directly rendering user input without sanitation */}
+      <p dangerouslySetInnerHTML = {{ __html: commentData.text}}> {commentData.text}</p> // $ MISSING: Alert=[js/xss]
+    </div> 
+  );
+};