hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

JavaScript: Improve alert location and message for IncompleteSanitization.

Browse Source 
We now highlight the `replace` call (instead of the regular expression), and the alert message for the case of missing backslash escapes clarifies that it is talking about failure to escape backslashes in the input, not in the replacement text.
This commit is contained in:
Max Schaefer
2019-02-08 09:13:40 +00:00
parent 6243c722c6
commit 3e26bc6446
2 changed files with 19 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteSanitization.expected
View File

@@ -1,17 +1,17 @@
| tst.js:5:20:5:22 | "'" | This replaces only the first occurrence of "'". |
| tst.js:9:20:9:22 | /'/ | This replaces only the first occurrence of /'/. |
| tst.js:13:20:13:23 | /'/g | This does not backslash-escape the backslash character. |
| tst.js:17:20:17:23 | /'/g | This does not backslash-escape the backslash character. |
| tst.js:21:20:21:26 | /['"]/g | This does not backslash-escape the backslash character. |
| tst.js:25:20:25:28 | /(['"])/g | This does not backslash-escape the backslash character. |
| tst.js:29:20:29:27 | /('\|")/g | This does not backslash-escape the backslash character. |
| tst.js:33:20:33:22 | '\|' | This replaces only the first occurrence of '\|'. |
| tst.js:37:20:37:23 | /"/g | This does not backslash-escape the backslash character. |
| tst.js:41:20:41:22 | "/" | This replaces only the first occurrence of "/". |
| tst.js:45:20:45:24 | "%25" | This replaces only the first occurrence of "%25". |
| tst.js:49:20:49:22 | `'` | This replaces only the first occurrence of `'`. |
| tst.js:53:20:53:22 | "'" | This replaces only the first occurrence of "'". |
| tst.js:57:20:57:22 | `'` | This replaces only the first occurrence of `'`. |
| tst.js:61:20:61:27 | "'" + "" | This replaces only the first occurrence of "'" + "". |
| tst.js:65:20:65:22 | "'" | This replaces only the first occurrence of "'". |
| tst.js:69:20:69:27 | "'" + "" | This replaces only the first occurrence of "'" + "". |
| tst.js:5:10:5:18 | s.replace | This replaces only the first occurrence of "'". |
| tst.js:9:10:9:18 | s.replace | This replaces only the first occurrence of /'/. |
| tst.js:13:10:13:18 | s.replace | This does not escape backslash characters in the input. |
| tst.js:17:10:17:18 | s.replace | This does not escape backslash characters in the input. |
| tst.js:21:10:21:18 | s.replace | This does not escape backslash characters in the input. |
| tst.js:25:10:25:18 | s.replace | This does not escape backslash characters in the input. |
| tst.js:29:10:29:18 | s.replace | This does not escape backslash characters in the input. |
| tst.js:33:10:33:18 | s.replace | This replaces only the first occurrence of '\|'. |
| tst.js:37:10:37:18 | s.replace | This does not escape backslash characters in the input. |
| tst.js:41:10:41:18 | s.replace | This replaces only the first occurrence of "/". |
| tst.js:45:10:45:18 | s.replace | This replaces only the first occurrence of "%25". |
| tst.js:49:10:49:18 | s.replace | This replaces only the first occurrence of `'`. |
| tst.js:53:10:53:18 | s.replace | This replaces only the first occurrence of "'". |
| tst.js:57:10:57:18 | s.replace | This replaces only the first occurrence of `'`. |
| tst.js:61:10:61:18 | s.replace | This replaces only the first occurrence of "'" + "". |
| tst.js:65:10:65:18 | s.replace | This replaces only the first occurrence of "'". |
| tst.js:69:10:69:18 | s.replace | This replaces only the first occurrence of "'" + "". |