JS: Exclude client-side sources from RegExpInjection

2026-04-30 03:05:15 +02:00 · 2021-03-08 11:15:47 +00:00
parent 2e57a7d3e9
commit aa1c8c041e
2 changed files with 8 additions and 1 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-730/client-side.js
+++ b/javascript/ql/test/query-tests/Security/CWE-730/client-side.js
@@ -0,0 +1,4 @@
+function foo() {
+    let taint = window.location.hash.substring(1);
+    new RegExp(taint); // OK - we do not flag RegExp injection on the client side as the impact is too low
+}