recognize DOMPurify.sanitize as a HTML sanitizer

2026-04-30 03:05:15 +02:00 · 2020-05-26 13:34:33 +02:00
parent 3f66c04e12
commit 3e3372be4b
1 changed files with 5 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/HtmlSanitizers.qll
+++ b/javascript/ql/src/semmle/javascript/HtmlSanitizers.qll
@@ -48,6 +48,11 @@ private class DefaultHtmlSanitizerCall extends HtmlSanitizerCall {
      or
      callee = LodashUnderscore::member("escape")
      or
+      exists(DataFlow::PropRead read | read = callee |
+        read.getPropertyName() = "sanitize" and
+        read.getBase().asExpr().(VarAccess).getName() = "DOMPurify"
+      )
+      or
      exists(string name | name = "encode" or name = "encodeNonUTF" |
        callee =
          DataFlow::moduleMember("html-entities", _).getAnInstantiation().getAPropertyRead(name) or