From 5fe6671cc52dba295ff7e403d2ab3ee89cfe09b4 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 23 Aug 2021 08:30:50 +0200
Subject: [PATCH] making it more explicit what character class matching is used
 for

---
 .../Security/CWE-116/IncompleteMultiCharacterSanitization.ql   | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql b/javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql
index de94fd774af..0043183af47 100644
--- a/javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql
+++ b/javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql
@@ -67,9 +67,12 @@ DangerousPrefixSubstring getADangerousMatchedChar(EmptyReplaceRegExpTerm t) {
   or
   t.getAMatchedString() = result
   or
+  // A substring matched by some character class. This is only used to match the "word" part of a HTML tag (e.g. "iframe" in "<iframe").
   exists(ReDoSUtil::CharacterClass cc |
     cc = ReDoSUtil::getCanonicalCharClass(t) and
     cc.matches(result) and
+    result.regexpMatch("\\w") and
+    // excluding character classes that match ">" (e.g. /<[^<]*>/), as these might consume nested HTML tags, and thus prevent the dangerous pattern this query is looking for.
     not cc.matches(">")
   )
   or