JS: Remove FP in TargetBlank

2026-04-27 17:55:19 +02:00 · 2020-12-17 15:26:34 +00:00
parent 97f7cb4dc1
commit 3c0867125b
1 changed files with 9 additions and 0 deletions
--- a/javascript/ql/src/DOM/TargetBlank.ql
+++ b/javascript/ql/src/DOM/TargetBlank.ql
@@ -16,6 +16,13 @@ import javascript
 import semmle.javascript.frameworks.Templating
 import semmle.javascript.RestrictedLocations

+/**
+ * Holds if the `rel` attribute may be injected by an Angular2 directive.
+ */
+predicate maybeInjectedByAngular() {
+  DataFlow::moduleMember("@angular/core", "HostBinding").getACall().getArgument(0).mayHaveStringValue("attr.rel")
+}
+
 /**
 * Holds if the href attribute contains a host that we cannot determine statically.
 */
@@ -44,6 +51,8 @@ where
  e.getName() = "a" and
  // and the host in the href is not hard-coded
  hasDynamicHrefHostAttributeValue(e) and
+  // disable for Angular applications that dynamically inject the 'rel' attribute
+  not maybeInjectedByAngular() and
  e.getAttributeByName("target").getStringValue() = "_blank" and
  // there is no `rel` attribute specifying link type `noopener`/`noreferrer`;
  // `rel` attributes with non-constant value are handled conservatively