JS: address review comments

2026-04-28 10:15:14 +02:00 · 2019-02-25 12:13:40 +01:00
parent 80a716f3b3
commit 97edfc5524
2 changed files with 18 additions and 2 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/Vue.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Vue.qll
@@ -416,7 +416,7 @@ module Vue {
  module Template {
    // Currently only supports HTML elements, but it may be possible to parse simple string templates later
    private newtype TElement =
-      MkHtmlElement(HTML::Element e) { exists(VueFile f | e.getFile() = f) }
+      MkHtmlElement(HTML::Element e) { e.getFile() instanceof VueFile }

    /**
     * An element of a template.
@@ -430,7 +430,7 @@ module Vue {
       * The location spans column `startcolumn` of line `startline` to
       * column `endcolumn` of line `endline` in file `filepath`.
       * For more information, see
-       * [LGTM locations](https://lgtm.com/help/ql/locations).
+       * [locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
       */
      predicate hasLocationInfo(
        string filepath, int startline, int startcolumn, int endline, int endcolumn
@@ -442,6 +442,11 @@ module Vue {
        endcolumn = 0
      }

+      /**
+       * Gets the name of this element.
+       *
+       * For example, the name of `<br>` is `br`.
+       */
      abstract string getName();
    }

@@ -461,6 +466,9 @@ module Vue {

      override string getName() { result = elem.getName() }

+      /**
+       * Gets the HTML element of this element.
+       */
      HTML::Element getElement() { result = elem }
    }
  }
--- a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
@@ -204,6 +204,10 @@ module DomBasedXss {
  class VHtmlSink extends DomBasedXss::Sink {
    HTML::Attribute attr;
    VHtmlSink() { this.(DataFlow::HtmlAttributeNode).getAttribute() = attr and attr.getName() = "v-html" }
+
+    /**
+     * Gets the HTML attribute of this sink.
+     */
    HTML::Attribute getAttr() {
      result = attr
    }
@@ -212,6 +216,10 @@ module DomBasedXss {
  /**
   * A taint propagating data flow edge through a string interpolation of a
   * Vue instance property to a `v-html` attribute.
+   *
+   * As an example, `<div v-html="prop"/>` reads the `prop` property
+   * of `inst = new Vue({ ..., data: { prop: source } })`, if the
+   * `div` element is part of the template for `inst`.
   */
  class VHtmlSourceWrite extends TaintTracking::AdditionalTaintStep {
    VHtmlSink attr;