hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-11 01:39:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Use in ContainsHTMLGuard

Browse Source
This commit is contained in:
Asger Feldthaus
2020-06-01 12:06:40 +01:00
parent fa1a6eefa7
commit 707b0f33a0
3 changed files with 73 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
View File

@@ -78,18 +78,16 @@ module Shared {
* A sanitizer guard that checks for the existence of HTML chars in a string.
* E.g. `/["'&<>]/.exec(str)`.
*/
class ContainsHTMLGuard extends SanitizerGuard, DataFlow::MethodCallNode {
DataFlow::RegExpCreationNode regExp;
class ContainsHTMLGuard extends SanitizerGuard, StringOps::RegExpTest {
ContainsHTMLGuard() {
this.getMethodName() = ["test", "exec"] and
this.getReceiver().getALocalSource() = regExp and
regExp.getRoot() instanceof RegExpCharacterClass and
forall(string s | s = ["\"", "&", "<", ">"] | regExp.getRoot().getAMatchedString() = s)
exists(RegExpCharacterClass regExp |
regExp = getRegExp() and
forall(string s | s = ["\"", "&", "<", ">"] | regExp.getAMatchedString() = s)
)
}
override predicate sanitizes(boolean outcome, Expr e) {
outcome = false and e = this.getArgument(0).asExpr()
outcome = getPolarity().booleanNot() and e = this.getStringOperand().asExpr()
}
}