JS: whitelist quote stripping for js/incomplete-sanitization

2025-12-17 01:03:14 +01:00 · 2019-09-05 09:47:49 +01:00
parent 641232a9d7
commit a9665f53b8
3 changed files with 10 additions and 0 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js
@@ -192,3 +192,8 @@ app.get('/some/path', function(req, res) {
 	var indirect = /'/;
 	return s.replace(indirect, ""); // NOT OK
 });
+
+(function (s) {
+	s.replace('"', '').replace('"', ''); // OK
+	s.replace("'", "").replace("'", ""); // OK
+});