JS: Add comment to VueTemplateSink class

2026-04-28 18:25:24 +02:00 · 2021-07-01 14:15:27 +02:00
parent 0105b829c4
commit 7249d2892a
1 changed files with 4 additions and 1 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
@@ -331,7 +331,10 @@ module DomBasedXss {
   * A write to the `template` option of a Vue instance, viewed as an XSS sink.
   */
  class VueTemplateSink extends DomBasedXss::Sink {
-    VueTemplateSink() { this = any(Vue::Instance i).getOption("template") }
+    VueTemplateSink() {
+      // Note: don't use Vue::Instance#getTemplate as it includes an unwanted getALocalSource() step
+      this = any(Vue::Instance i).getOption("template")
+    }
  }

  /**