JS: Now BadHtmlSanitizers also flags new RegExp as potential issue

2026-04-27 01:35:13 +02:00 · 2024-11-26 09:20:34 +01:00
parent 41f21d429b
commit 38be0e4c0a
3 changed files with 5 additions and 2 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteBlacklistSanitizer.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteBlacklistSanitizer.expected
@@ -65,3 +65,6 @@
 | tst.js:305:10:305:34 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize double quotes |
 | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | This HTML sanitizer does not sanitize single quotes |
 | tst.js:320:9:329:3 | s().rep ... ;";\\n\\t}) | This HTML sanitizer does not sanitize single quotes |
+| tst.js:333:2:333:40 | s().rep ... g"),'') | This HTML sanitizer does not sanitize ampersands |
+| tst.js:333:2:333:40 | s().rep ... g"),'') | This HTML sanitizer does not sanitize double quotes |
+| tst.js:333:2:333:40 | s().rep ... g"),'') | This HTML sanitizer does not sanitize single quotes |
--- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js
@@ -330,5 +330,5 @@ function incompleteComplexSanitizers() {
 }

 function typicalBadHtmlSanitizers(s) {
-	s().replace(new RegExp("[<>]", "g"),''); // NOT OK -- should be not okay, but is not flagged
+	s().replace(new RegExp("[<>]", "g"),''); // NOT OK
 }