hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

suggestions based on review: add a popular library example for HTML-sanitization, and use the old text about ../ replacements

Browse Source
This commit is contained in:
erik-krogh
2023-07-13 14:27:42 +02:00
parent 9db970f055
commit 1fe66232c6
2 changed files with 30 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.qhelp
View File

@@ -85,6 +85,16 @@ function removeAllHtmlTags(input) {
return input.replace(/<|>/g, "");
}
</sample>
<p>
Another potential fix is to use the popular <code>sanitize-html</code> npm library.
It keeps most of the safe HTML tags while removing all unsafe tags and attributes.
</p>
<sample language="javascript">
const sanitizeHtml = require("sanitize-html");
function removeAllHtmlTags(input) {
return sanitizeHtml(input);
}
</sample>
</example>
@@ -98,7 +108,10 @@ str.replace(/\.\.\//g, "");
</sample>
<p>
This can result in an unsafe path being generated if only a single replacement is done.
The regular expression attempts to strip out all occurences of <code>/../</code> from <code>str</code>.
This will not work as expected: for the string <code>/./.././</code>, for example, it will remove the single
occurrence of <code>/../</code> in the middle, but the remainder of the string then becomes
<code>/../</code>, which is another instance of the substring we were trying to remove.
</p>
<p>

17
ruby/ql/src/queries/security/cwe-116/IncompleteMultiCharacterSanitization.qhelp
View File

@@ -86,6 +86,18 @@ def remove_all_html_tags(input)
end
</sample>
<p>
Another potential fix is to use the popular <code>sanitize</code> gem.
It keeps most of the safe HTML tags while removing all unsafe tags and attributes.
</p>
<sample language="javascript">
require 'sanitize'
def sanitize_html(input)
Sanitize.fragment(input)
end
</sample>
</example>
<example>
@@ -98,7 +110,10 @@ str.gsub(/\.\.\//, "")
</sample>
<p>
This can result in an unsafe path being generated if only a single replacement is done.
The regular expression attempts to strip out all occurences of <code>/../</code> from <code>str</code>.
This will not work as expected: for the string <code>/./.././</code>, for example, it will remove the single
occurrence of <code>/../</code> in the middle, but the remainder of the string then becomes
<code>/../</code>, which is another instance of the substring we were trying to remove.
</p>
<p>