Added escape as UriEncodingSanitizer

2025-12-17 01:03:14 +01:00 · 2025-03-14 14:53:21 +01:00
parent 37e02e4261
commit 4a691b778b
4 changed files with 3 additions and 25 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/Xss.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/Xss.qll
@@ -53,7 +53,7 @@ module Shared {
  class UriEncodingSanitizer extends Sanitizer, DataFlow::CallNode {
    UriEncodingSanitizer() {
      exists(string name | this = DataFlow::globalVarRef(name).getACall() |
-        name = "encodeURI" or name = "encodeURIComponent"
+        name in ["encodeURI", "encodeURIComponent", "escape"]
      )
    }
  }
--- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
@@ -120,8 +120,6 @@
 | string-manipulations.js:8:16:8:48 | documen ... mLeft() | string-manipulations.js:8:16:8:37 | documen ... on.href | string-manipulations.js:8:16:8:48 | documen ... mLeft() | Cross-site scripting vulnerability due to $@. | string-manipulations.js:8:16:8:37 | documen ... on.href | user-provided value |
 | string-manipulations.js:9:16:9:58 | String. ... n.href) | string-manipulations.js:9:36:9:57 | documen ... on.href | string-manipulations.js:9:16:9:58 | String. ... n.href) | Cross-site scripting vulnerability due to $@. | string-manipulations.js:9:36:9:57 | documen ... on.href | user-provided value |
 | string-manipulations.js:10:16:10:45 | String( ... n.href) | string-manipulations.js:10:23:10:44 | documen ... on.href | string-manipulations.js:10:16:10:45 | String( ... n.href) | Cross-site scripting vulnerability due to $@. | string-manipulations.js:10:23:10:44 | documen ... on.href | user-provided value |
-| string-manipulations.js:11:16:11:45 | escape( ... n.href) | string-manipulations.js:11:23:11:44 | documen ... on.href | string-manipulations.js:11:16:11:45 | escape( ... n.href) | Cross-site scripting vulnerability due to $@. | string-manipulations.js:11:23:11:44 | documen ... on.href | user-provided value |
-| string-manipulations.js:12:16:12:61 | escape( ... href))) | string-manipulations.js:12:37:12:58 | documen ... on.href | string-manipulations.js:12:16:12:61 | escape( ... href))) | Cross-site scripting vulnerability due to $@. | string-manipulations.js:12:37:12:58 | documen ... on.href | user-provided value |
 | tainted-url-suffix-arguments.js:6:22:6:22 | y | tainted-url-suffix-arguments.js:11:17:11:36 | window.location.href | tainted-url-suffix-arguments.js:6:22:6:22 | y | Cross-site scripting vulnerability due to $@. | tainted-url-suffix-arguments.js:11:17:11:36 | window.location.href | user-provided value |
 | tooltip.jsx:10:25:10:30 | source | tooltip.jsx:6:20:6:30 | window.name | tooltip.jsx:10:25:10:30 | source | Cross-site scripting vulnerability due to $@. | tooltip.jsx:6:20:6:30 | window.name | user-provided value |
 | tooltip.jsx:11:25:11:30 | source | tooltip.jsx:6:20:6:30 | window.name | tooltip.jsx:11:25:11:30 | source | Cross-site scripting vulnerability due to $@. | tooltip.jsx:6:20:6:30 | window.name | user-provided value |
@@ -492,10 +490,6 @@ edges
 | string-manipulations.js:8:16:8:37 | documen ... on.href | string-manipulations.js:8:16:8:48 | documen ... mLeft() | provenance |  |
 | string-manipulations.js:9:36:9:57 | documen ... on.href | string-manipulations.js:9:16:9:58 | String. ... n.href) | provenance |  |
 | string-manipulations.js:10:23:10:44 | documen ... on.href | string-manipulations.js:10:16:10:45 | String( ... n.href) | provenance |  |
-| string-manipulations.js:11:23:11:44 | documen ... on.href | string-manipulations.js:11:16:11:45 | escape( ... n.href) | provenance |  |
-| string-manipulations.js:12:23:12:60 | escape( ... .href)) | string-manipulations.js:12:16:12:61 | escape( ... href))) | provenance |  |
-| string-manipulations.js:12:30:12:59 | escape( ... n.href) | string-manipulations.js:12:23:12:60 | escape( ... .href)) | provenance |  |
-| string-manipulations.js:12:37:12:58 | documen ... on.href | string-manipulations.js:12:30:12:59 | escape( ... n.href) | provenance |  |
 | tainted-url-suffix-arguments.js:3:17:3:17 | y | tainted-url-suffix-arguments.js:6:22:6:22 | y | provenance |  |
 | tainted-url-suffix-arguments.js:11:11:11:36 | url | tainted-url-suffix-arguments.js:12:17:12:19 | url | provenance |  |
 | tainted-url-suffix-arguments.js:11:17:11:36 | window.location.href | tainted-url-suffix-arguments.js:11:11:11:36 | url | provenance |  |
@@ -1122,12 +1116,6 @@ nodes
 | string-manipulations.js:9:36:9:57 | documen ... on.href | semmle.label | documen ... on.href |
 | string-manipulations.js:10:16:10:45 | String( ... n.href) | semmle.label | String( ... n.href) |
 | string-manipulations.js:10:23:10:44 | documen ... on.href | semmle.label | documen ... on.href |
-| string-manipulations.js:11:16:11:45 | escape( ... n.href) | semmle.label | escape( ... n.href) |
-| string-manipulations.js:11:23:11:44 | documen ... on.href | semmle.label | documen ... on.href |
-| string-manipulations.js:12:16:12:61 | escape( ... href))) | semmle.label | escape( ... href))) |
-| string-manipulations.js:12:23:12:60 | escape( ... .href)) | semmle.label | escape( ... .href)) |
-| string-manipulations.js:12:30:12:59 | escape( ... n.href) | semmle.label | escape( ... n.href) |
-| string-manipulations.js:12:37:12:58 | documen ... on.href | semmle.label | documen ... on.href |
 | tainted-url-suffix-arguments.js:3:17:3:17 | y | semmle.label | y |
 | tainted-url-suffix-arguments.js:6:22:6:22 | y | semmle.label | y |
 | tainted-url-suffix-arguments.js:11:11:11:36 | url | semmle.label | url |
--- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
@@ -322,12 +322,6 @@ nodes
 | string-manipulations.js:9:36:9:57 | documen ... on.href | semmle.label | documen ... on.href |
 | string-manipulations.js:10:16:10:45 | String( ... n.href) | semmle.label | String( ... n.href) |
 | string-manipulations.js:10:23:10:44 | documen ... on.href | semmle.label | documen ... on.href |
-| string-manipulations.js:11:16:11:45 | escape( ... n.href) | semmle.label | escape( ... n.href) |
-| string-manipulations.js:11:23:11:44 | documen ... on.href | semmle.label | documen ... on.href |
-| string-manipulations.js:12:16:12:61 | escape( ... href))) | semmle.label | escape( ... href))) |
-| string-manipulations.js:12:23:12:60 | escape( ... .href)) | semmle.label | escape( ... .href)) |
-| string-manipulations.js:12:30:12:59 | escape( ... n.href) | semmle.label | escape( ... n.href) |
-| string-manipulations.js:12:37:12:58 | documen ... on.href | semmle.label | documen ... on.href |
 | tainted-url-suffix-arguments.js:3:17:3:17 | y | semmle.label | y |
 | tainted-url-suffix-arguments.js:6:22:6:22 | y | semmle.label | y |
 | tainted-url-suffix-arguments.js:11:11:11:36 | url | semmle.label | url |
@@ -940,10 +934,6 @@ edges
 | string-manipulations.js:8:16:8:37 | documen ... on.href | string-manipulations.js:8:16:8:48 | documen ... mLeft() | provenance |  |
 | string-manipulations.js:9:36:9:57 | documen ... on.href | string-manipulations.js:9:16:9:58 | String. ... n.href) | provenance |  |
 | string-manipulations.js:10:23:10:44 | documen ... on.href | string-manipulations.js:10:16:10:45 | String( ... n.href) | provenance |  |
-| string-manipulations.js:11:23:11:44 | documen ... on.href | string-manipulations.js:11:16:11:45 | escape( ... n.href) | provenance |  |
-| string-manipulations.js:12:23:12:60 | escape( ... .href)) | string-manipulations.js:12:16:12:61 | escape( ... href))) | provenance |  |
-| string-manipulations.js:12:30:12:59 | escape( ... n.href) | string-manipulations.js:12:23:12:60 | escape( ... .href)) | provenance |  |
-| string-manipulations.js:12:37:12:58 | documen ... on.href | string-manipulations.js:12:30:12:59 | escape( ... n.href) | provenance |  |
 | tainted-url-suffix-arguments.js:3:17:3:17 | y | tainted-url-suffix-arguments.js:6:22:6:22 | y | provenance |  |
 | tainted-url-suffix-arguments.js:11:11:11:36 | url | tainted-url-suffix-arguments.js:12:17:12:19 | url | provenance |  |
 | tainted-url-suffix-arguments.js:11:17:11:36 | window.location.href | tainted-url-suffix-arguments.js:11:11:11:36 | url | provenance |  |
--- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/string-manipulations.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/string-manipulations.js
@@ -8,5 +8,5 @@ document.write(document.location.href.toUpperCase()); // $ Alert
 document.write(document.location.href.trimLeft()); // $ Alert
 document.write(String.fromCharCode(document.location.href)); // $ Alert
 document.write(String(document.location.href)); // $ Alert
-document.write(escape(document.location.href)); // $ SPURIOUS: Alert
-document.write(escape(escape(escape(document.location.href)))); // $ SPURIOUS: Alert
+document.write(escape(document.location.href));
+document.write(escape(escape(escape(document.location.href))));