JS: Include $().prop() source in XssThroughDom

2026-04-28 02:05:14 +02:00 · 2021-03-11 16:27:31 +00:00
parent 2f3a76c43b
commit a03cb11257
3 changed files with 17 additions and 4 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
@@ -40,10 +40,16 @@ module XssThroughDom {
      (
        this.getMethodName() = ["text", "val"] and this.getNumArgument() = 0
        or
-        this.getMethodName() = "attr" and
-        this.getNumArgument() = 1 and
-        forex(InferredType t | t = this.getArgument(0).analyze().getAType() | t = TTString()) and
-        this.getArgument(0).mayHaveStringValue(unsafeAttributeName())
+        exists(string methodName, string value |
+          this.getMethodName() = methodName and
+          this.getNumArgument() = 1 and
+          forex(InferredType t | t = this.getArgument(0).analyze().getAType() | t = TTString()) and
+          this.getArgument(0).mayHaveStringValue(value)
+        |
+          methodName = "attr" and value = unsafeAttributeName()
+          or
+          methodName = "prop" and value = unsafeDomPropertyName()
+        )
      ) and
      // looks like a $("<p>" + ... ) source, which is benign for this query.
      not exists(DataFlow::Node prefix |