Added XSS sink for innerHTML/outerHTML using new Angular attribute def

2026-04-26 17:25:19 +02:00 · 2025-01-08 16:36:46 +00:00
parent 2dc9e7bab7
commit 4b57d5feb2
1 changed files with 13 additions and 19 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll
@@ -251,25 +251,19 @@ module DomBasedXss {
    }
  }

-  // /**
-  //  * A write to the `innerHTML` property of a DOM element, viewed as an XSS sink.
-  //  *
-  //  * Uses the Angular Renderer2 API, instead of the default `Element.innerHTML` property.
-  //  */
-  // class AngularRender2SetPropertyInnerHtmlSink extends Sink {
-  //   AngularRender2SetPropertyInnerHtmlSink() {
-  //     exists(API::CallNode setProperty |
-  //       setProperty =
-  //         API::moduleImport("@angular/core")
-  //             .getMember("Renderer2")
-  //             .getInstance()
-  //             .getMember("setProperty")
-  //             .getACall() and
-  //       this = setProperty.getParameter(2).asSink() and
-  //       setProperty.getArgument(1).getStringValue() = "innerHTML"
-  //     )
-  //   }
-  // }
+  /**
+   * A write to the `innerHTML` or `outerHTML` property of a DOM element, viewed as an XSS sink.
+   *
+   * Uses the Angular Renderer2 API, instead of the default `Element.innerHTML` property.
+   */
+  class AngularRender2SetPropertyInnerHtmlSink2 extends Sink {
+    AngularRender2SetPropertyInnerHtmlSink2() {
+      exists(Angular2::AngularRenderer2AttributeDefinition attrDef |
+        attrDef.getName() = ["innerHTML", "outerHTML"] and
+        this = attrDef.getValueNode()
+      )
+    }
+  }

  /**
   * A value being piped into the `safe` pipe in a template file,