hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove webview example and its reference in qlhelp file

Browse Source
This commit is contained in:
Behrang Fouladi Azarnaminy
2018-09-11 12:31:00 -07:00
parent 02047ea260
commit befca6cafa
2 changed files with 6 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
javascript/ql/src/Electron/EnablingNodeIntegration.qhelp
View File

@@ -5,10 +5,10 @@
<overview> <overview>
<p> <p>
Enabling Node.js integration in web content renderers (BrowserWindow, BrowserView and webview) could result in Enabling Node.js integration in web content renderers (<code>BrowserWindow</code>, <code>BrowserView</code> and <code>webview</code>) could result in
remote native code execution attacks when rendering malicious JavaScript code from untrusted remote web site or remote native code execution attacks when rendering malicious JavaScript code from untrusted remote web site or
code that is injected via a cross site scripting vulnerability into the web content under processing. Please note that code that is injected via a cross site scripting vulnerability into a trusted remote web site. Note that
the nodeIntegration property is enabled by default in Electron and needs to be set to 'false' explicitly. the <code>nodeIntegration</code> property is enabled by default in Electron and needs to be set to <code>false</code> explicitly.
</p> </p>
</overview> </overview>
@@ -21,28 +21,21 @@
<example> <example>
<p> <p>
The following example shows insecure use of BrowserWindow with regards to <code>nodeIntegration</code> The following example shows insecure use of <code>BrowserWindow</code> with regards to <code>nodeIntegration</code>
property: property:
</p> </p>
<sample src="examples/DefaultNodeIntegration.js"/> <sample src="examples/DefaultNodeIntegration.js"/>
<p> <p>
This is problematic, because default value of nodeIntegration is 'true'. This is problematic, because default value of <code>nodeIntegration</code> is 'true'.
</p> </p>
</example> </example>
<example>
<p>
The following example shows insecure and secure uses of <code>webview</code> tag:
</p>
<sample src="examples/WebViewNodeIntegration.html"/>
</example>
<example> <example>
<p> <p>
The following example shows insecure and secure uses of BrowserWindow and BrowserView when The following example shows insecure and secure uses of <code>BrowserWindow</code> and <code>BrowserView</code> when
loading untrusted web sites: loading untrusted web sites:
</p> </p>
<sample src="examples/EnablingNodeIntegration.js"/> <sample src="examples/EnablingNodeIntegration.js"/>

15
javascript/ql/src/Electron/examples/WebViewNodeIntegration.html
View File

@@ -1,15 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<meta charset = "UTF-8">
<title>WebView Examples</title>
</head>
<body>
<!-- BAD -->
<webview src="https://untrusted-site.com/" nodeintegration></webview>
<!-- GOOD -->
<webview src="https://untrusted-site.com/"></webview>
</body>
</html>