hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 12:15:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #910 from xiemaisi/js/regexp-taint

Browse Source 
Approved by esben-semmle
This commit is contained in:
semmle-qlci
2019-02-12 13:15:16 +00:00
committed by GitHub
parent 583358bee3 6ce77ea1ef
commit c133362660
9 changed files with 315 additions and 622 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
change-notes/1.20/analysis-javascript.md
View File

@@ -9,7 +9,7 @@
- asynchronous code, for example [a-sync-waterfall](https://www.npmjs.com/package/a-sync-waterfall)
* File classification has been improved to recognize additional generated files, for example files from [HTML Tidy](html-tidy.org).
* The taint tracking library now recognizes flow through persistent storage, class fields, and callbacks in certain cases. This may give more results for the security queries.
* The taint tracking library now recognizes flow through persistent storage, class fields, and callbacks in certain cases. Handling of regular expressions has also been improved. This may give more results for the security queries.
* Type inference for function calls has been improved. This may give additional results for queries that rely on type inference.
@@ -33,9 +33,11 @@
| **Query** | **Expected impact** | **Change** |
|--------------------------------------------|------------------------------|------------------------------------------------------------------------------|
| Client-side cross-site scripting | More true-positive results, fewer false-positive results. | This rule now recognizes WinJS functions that are vulnerable to HTML injection, and no longer flags certain safe uses of jQuery. |
| Client-side cross-site scripting | More true-positive results, fewer false-positive results. | This rule now recognizes WinJS functions that are vulnerable to HTML injection. It no longer flags certain safe uses of jQuery, and recognizes custom sanitizers. |
| Hard-coded credentials | Fewer false-positive results | This rule no longer flag the empty string as a hardcoded username. |
| Insecure randomness | More results | This rule now flags insecure uses of `crypto.pseudoRandomBytes`. |
| Reflected cross-site scripting | Fewer false-positive results. | This rule now recognizes custom sanitizers. |
| Stored cross-site scripting | Fewer false-positive results. | This rule now recognizes custom sanitizers. |
| Uncontrolled data used in network request | More results | This rule now recognizes host values that are vulnerable to injection. |
| Unused parameter | Fewer false-positive results | This rule no longer flags parameters with leading underscore. |
| Unused variable, import, function or class | Fewer false-positive results | This rule now flags fewer variables that are implictly used by JSX elements, and no longer flags variables with leading underscore. |

21
javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
View File

@@ -473,6 +473,27 @@ module TaintTracking {
}
}
/**
* A taint-propagating data flow edge from the first (and only) argument in a call to
* `RegExp.prototype.exec` to its result.
*/
private class RegExpExecTaintStep extends AdditionalTaintStep {
DataFlow::MethodCallNode self;
RegExpExecTaintStep() {
this = self and
self.getReceiver().analyze().getAType() = TTRegExp() and
self.getMethodName() = "exec" and
self.getNumArgument() = 1
}
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
pred = self.getArgument(0) and
succ = this
}
}
/**
* A taint propagating data flow edge arising from JSON unparsing.
*/

167
javascript/ql/src/semmle/javascript/security/dataflow/DomBasedXss.qll
View File

@@ -4,32 +4,9 @@
*/
import javascript
import semmle.javascript.security.dataflow.RemoteFlowSources
import semmle.javascript.frameworks.jQuery
module DomBasedXss {
/**
* A data flow source for XSS vulnerabilities.
*/
abstract class Source extends DataFlow::Node { }
/**
* A data flow sink for XSS vulnerabilities.
*/
abstract class Sink extends DataFlow::Node {
/**
* Gets the kind of vulnerability to report in the alert message.
*
* Defaults to `Cross-site scripting`, but may be overriden for sinks
* that do not allow script injection, but injection of other undesirable HTML elements.
*/
string getVulnerabilityKind() { result = "Cross-site scripting" }
}
/**
* A sanitizer for XSS vulnerabilities.
*/
abstract class Sanitizer extends DataFlow::Node { }
import Xss::DomBasedXss
/**
* A taint-tracking configuration for reasoning about XSS.
@@ -68,146 +45,4 @@ module DomBasedXss {
class LocationSource extends Source, DataFlow::ValueNode {
LocationSource() { isDocumentURL(astNode) }
}
/**
* An expression whose value is interpreted as HTML
* and may be inserted into the DOM through a library.
*/
class LibrarySink extends Sink, DataFlow::ValueNode {
LibrarySink() {
// call to a jQuery method that interprets its argument as HTML
exists(JQueryMethodCall call | call.interpretsArgumentAsHtml(astNode) |
// either the argument is always interpreted as HTML
not call.interpretsArgumentAsSelector(astNode)
or
// or it doesn't start with something other than `<`, and so at least
// _may_ be interpreted as HTML
not exists(DataFlow::Node prefix, string strval |
isPrefixOfJQueryHtmlString(astNode, prefix) and
strval = prefix.asExpr().getStringValue() and
not strval.regexpMatch("\\s*<.*")
) and
not isDocumentURL(astNode)
)
or
// call to an Angular method that interprets its argument as HTML
any(AngularJS::AngularJSCall call).interpretsArgumentAsHtml(this.asExpr())
or
// call to a WinJS function that interprets its argument as HTML
exists(DataFlow::MethodCallNode mcn, string m |
m = "setInnerHTMLUnsafe" or m = "setOuterHTMLUnsafe"
|
mcn.getMethodName() = m and
this = mcn.getArgument(1)
)
}
}
/**
* Holds if `prefix` is a prefix of `htmlString`, which may be intepreted as
* HTML by a jQuery method.
*/
private predicate isPrefixOfJQueryHtmlString(Expr htmlString, DataFlow::Node prefix) {
any(JQueryMethodCall call).interpretsArgumentAsHtml(htmlString) and
prefix = htmlString.flow()
or
exists(DataFlow::Node pred | isPrefixOfJQueryHtmlString(htmlString, pred) |
prefix = StringConcatenation::getFirstOperand(pred)
or
prefix = pred.getAPredecessor()
)
}
/**
* An expression whose value is interpreted as HTML or CSS
* and may be inserted into the DOM.
*/
class DomSink extends Sink {
DomSink() {
// Call to a DOM function that inserts its argument into the DOM
any(DomMethodCallExpr call).interpretsArgumentsAsHTML(this.asExpr())
or
// Assignment to a dangerous DOM property
exists(DomPropWriteNode pw |
pw.interpretsValueAsHTML() and
this = DataFlow::valueNode(pw.getRhs())
)
or
// `html` or `source.html` properties of React Native `WebView`
exists(ReactNative::WebViewElement webView, DataFlow::SourceNode source |
source = webView or
source = webView.getAPropertyWrite("source").getRhs().getALocalSource()
|
this = source.getAPropertyWrite("html").getRhs()
)
}
}
/**
* An expression whose value is interpreted as HTML by a DOMParser.
*/
class DomParserSink extends Sink {
DomParserSink() {
exists(DataFlow::GlobalVarRefNode domParser |
domParser.getName() = "DOMParser" and
this = domParser.getAnInstantiation().getAMethodCall("parseFromString").getArgument(0)
)
}
}
/**
* A React `dangerouslySetInnerHTML` attribute, viewed as an XSS sink.
*
* Any write to the `__html` property of an object assigned to this attribute
* is considered an XSS sink.
*/
class DangerouslySetInnerHtmlSink extends Sink, DataFlow::ValueNode {
DangerouslySetInnerHtmlSink() {
exists(DataFlow::Node danger, DataFlow::SourceNode valueSrc |
exists(JSXAttribute attr |
attr.getName() = "dangerouslySetInnerHTML" and
attr.getValue() = danger.asExpr()
)
or
exists(ReactElementDefinition def, DataFlow::ObjectLiteralNode props |
props.flowsTo(def.getProps()) and
props.hasPropertyWrite("dangerouslySetInnerHTML", danger)
)
|
valueSrc.flowsTo(danger) and
valueSrc.hasPropertyWrite("__html", this)
)
}
}
/**
* The HTML body of an email, viewed as an XSS sink.
*/
class EmailHtmlBodySink extends Sink {
EmailHtmlBodySink() { this = any(EmailSender sender).getHtmlBody() }
override string getVulnerabilityKind() { result = "HTML injection" }
}
/**
* A write to the `template` option of a Vue instance, viewed as an XSS sink.
*/
class VueTemplateSink extends DomBasedXss::Sink {
VueTemplateSink() { this = any(Vue::Instance i).getTemplate() }
}
/**
* The tag name argument to the `createElement` parameter of the
* `render` method of a Vue instance, viewed as an XSS sink.
*/
class VueCreateElementSink extends DomBasedXss::Sink {
VueCreateElementSink() {
exists(Vue::Instance i, DataFlow::FunctionNode f |
f.flowsTo(i.getRender()) and
this = f.getParameter(0).getACall().getArgument(0)
)
}
}
}

36
javascript/ql/src/semmle/javascript/security/dataflow/ReflectedXss.qll
View File

@@ -4,24 +4,9 @@
*/
import javascript
import semmle.javascript.security.dataflow.RemoteFlowSources
import semmle.javascript.frameworks.jQuery
module ReflectedXss {
/**
* A data flow source for XSS vulnerabilities.
*/
abstract class Source extends DataFlow::Node { }
/**
* A data flow sink for XSS vulnerabilities.
*/
abstract class Sink extends DataFlow::Node { }
/**
* A sanitizer for XSS vulnerabilities.
*/
abstract class Sanitizer extends DataFlow::Node { }
import Xss::ReflectedXss
/**
* A taint-tracking configuration for reasoning about XSS.
@@ -47,23 +32,4 @@ module ReflectedXss {
this.(HTTP::RequestHeaderAccess).getAHeaderName() = "referer"
}
}
/**
* An expression that is sent as part of an HTTP response, considered as an XSS sink.
*
* We exclude cases where the route handler sets either an unknown content type or
* a content type that does not (case-insensitively) contain the string "html". This
* is to prevent us from flagging plain-text or JSON responses as vulnerable.
*/
private class HttpResponseSink extends Sink {
HttpResponseSink() {
exists(HTTP::ResponseSendArgument sendarg | sendarg = asExpr() |
forall(HTTP::HeaderDefinition hd |
hd = sendarg.getRouteHandler().getAResponseHeader("content-type")
|
exists(string tp | hd.defines("content-type", tp) | tp.toLowerCase().matches("%html%"))
)
)
}
}
}

26
javascript/ql/src/semmle/javascript/security/dataflow/StoredXss.qll
View File

@@ -4,25 +4,9 @@
*/
import javascript
import semmle.javascript.security.dataflow.RemoteFlowSources
import semmle.javascript.security.dataflow.ReflectedXss as ReflectedXss
import semmle.javascript.security.dataflow.DomBasedXss as DomBasedXss
module StoredXss {
/**
* A data flow source for XSS vulnerabilities.
*/
abstract class Source extends DataFlow::Node { }
/**
* A data flow sink for XSS vulnerabilities.
*/
abstract class Sink extends DataFlow::Node { }
/**
* A sanitizer for XSS vulnerabilities.
*/
abstract class Sanitizer extends DataFlow::Node { }
import Xss::StoredXss
/**
* A taint-tracking configuration for reasoning about XSS.
@@ -44,12 +28,4 @@ module StoredXss {
class FileNameSourceAsSource extends Source {
FileNameSourceAsSource() { this instanceof FileNameSource }
}
/** An ordinary XSS sink, considered as a flow sink for stored XSS. */
class XssSinkAsSink extends Sink {
XssSinkAsSink() {
this instanceof ReflectedXss::ReflectedXss::Sink or
this instanceof DomBasedXss::DomBasedXss::Sink
}
}
}

267
javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll Normal file
View File

@@ -0,0 +1,267 @@
/**
* Provides classes and predicates used by the XSS queries.
*/
import javascript
/** Provides classes and predicates shared between the XSS queries. */
module Shared {
/** A data flow source for XSS vulnerabilities. */
abstract class Source extends DataFlow::Node { }
/** A data flow sink for XSS vulnerabilities. */
abstract class Sink extends DataFlow::Node {
/**
* Gets the kind of vulnerability to report in the alert message.
*
* Defaults to `Cross-site scripting`, but may be overriden for sinks
* that do not allow script injection, but injection of other undesirable HTML elements.
*/
string getVulnerabilityKind() { result = "Cross-site scripting" }
}
/** A sanitizer for XSS vulnerabilities. */
abstract class Sanitizer extends DataFlow::Node { }
/**
* A regexp replacement involving an HTML meta-character, viewed as a sanitizer for
* XSS vulnerabilities.
*
* The XSS queries do not attempt to reason about correctness or completeness of sanitizers,
* so any such replacement stops taint propagation.
*/
class MetacharEscapeSanitizer extends Sanitizer, DataFlow::MethodCallNode {
MetacharEscapeSanitizer() {
getMethodName() = "replace" and
exists(RegExpConstant c |
c.getLiteral() = getArgument(0).asExpr() and
c.getValue().regexpMatch("['\"&<>]")
)
}
}
}
/** Provides classes and predicates for the DOM-based XSS query. */
module DomBasedXss {
/** A data flow source for DOM-based XSS vulnerabilities. */
abstract class Source extends Shared::Source { }
/** A data flow sink for DOM-based XSS vulnerabilities. */
abstract class Sink extends Shared::Sink { }
/** A sanitizer for DOM-based XSS vulnerabilities. */
abstract class Sanitizer extends Shared::Sanitizer { }
/**
* An expression whose value is interpreted as HTML
* and may be inserted into the DOM through a library.
*/
class LibrarySink extends Sink, DataFlow::ValueNode {
LibrarySink() {
// call to a jQuery method that interprets its argument as HTML
exists(JQueryMethodCall call | call.interpretsArgumentAsHtml(astNode) |
// either the argument is always interpreted as HTML
not call.interpretsArgumentAsSelector(astNode)
or
// or it doesn't start with something other than `<`, and so at least
// _may_ be interpreted as HTML
not exists(DataFlow::Node prefix, string strval |
isPrefixOfJQueryHtmlString(astNode, prefix) and
strval = prefix.asExpr().getStringValue() and
not strval.regexpMatch("\\s*<.*")
) and
not isDocumentURL(astNode)
)
or
// call to an Angular method that interprets its argument as HTML
any(AngularJS::AngularJSCall call).interpretsArgumentAsHtml(this.asExpr())
or
// call to a WinJS function that interprets its argument as HTML
exists(DataFlow::MethodCallNode mcn, string m |
m = "setInnerHTMLUnsafe" or m = "setOuterHTMLUnsafe"
|
mcn.getMethodName() = m and
this = mcn.getArgument(1)
)
}
}
/**
* Holds if `prefix` is a prefix of `htmlString`, which may be intepreted as
* HTML by a jQuery method.
*/
private predicate isPrefixOfJQueryHtmlString(Expr htmlString, DataFlow::Node prefix) {
any(JQueryMethodCall call).interpretsArgumentAsHtml(htmlString) and
prefix = htmlString.flow()
or
exists(DataFlow::Node pred | isPrefixOfJQueryHtmlString(htmlString, pred) |
prefix = StringConcatenation::getFirstOperand(pred)
or
prefix = pred.getAPredecessor()
)
}
/**
* An expression whose value is interpreted as HTML or CSS
* and may be inserted into the DOM.
*/
class DomSink extends Sink {
DomSink() {
// Call to a DOM function that inserts its argument into the DOM
any(DomMethodCallExpr call).interpretsArgumentsAsHTML(this.asExpr())
or
// Assignment to a dangerous DOM property
exists(DomPropWriteNode pw |
pw.interpretsValueAsHTML() and
this = DataFlow::valueNode(pw.getRhs())
)
or
// `html` or `source.html` properties of React Native `WebView`
exists(ReactNative::WebViewElement webView, DataFlow::SourceNode source |
source = webView or
source = webView.getAPropertyWrite("source").getRhs().getALocalSource()
|
this = source.getAPropertyWrite("html").getRhs()
)
}
}
/**
* An expression whose value is interpreted as HTML by a DOMParser.
*/
class DomParserSink extends Sink {
DomParserSink() {
exists(DataFlow::GlobalVarRefNode domParser |
domParser.getName() = "DOMParser" and
this = domParser.getAnInstantiation().getAMethodCall("parseFromString").getArgument(0)
)
}
}
/**
* A React `dangerouslySetInnerHTML` attribute, viewed as an XSS sink.
*
* Any write to the `__html` property of an object assigned to this attribute
* is considered an XSS sink.
*/
class DangerouslySetInnerHtmlSink extends Sink, DataFlow::ValueNode {
DangerouslySetInnerHtmlSink() {
exists(DataFlow::Node danger, DataFlow::SourceNode valueSrc |
exists(JSXAttribute attr |
attr.getName() = "dangerouslySetInnerHTML" and
attr.getValue() = danger.asExpr()
)
or
exists(ReactElementDefinition def, DataFlow::ObjectLiteralNode props |
props.flowsTo(def.getProps()) and
props.hasPropertyWrite("dangerouslySetInnerHTML", danger)
)
|
valueSrc.flowsTo(danger) and
valueSrc.hasPropertyWrite("__html", this)
)
}
}
/**
* The HTML body of an email, viewed as an XSS sink.
*/
class EmailHtmlBodySink extends Sink {
EmailHtmlBodySink() { this = any(EmailSender sender).getHtmlBody() }
override string getVulnerabilityKind() { result = "HTML injection" }
}
/**
* A write to the `template` option of a Vue instance, viewed as an XSS sink.
*/
class VueTemplateSink extends DomBasedXss::Sink {
VueTemplateSink() { this = any(Vue::Instance i).getTemplate() }
}
/**
* The tag name argument to the `createElement` parameter of the
* `render` method of a Vue instance, viewed as an XSS sink.
*/
class VueCreateElementSink extends DomBasedXss::Sink {
VueCreateElementSink() {
exists(Vue::Instance i, DataFlow::FunctionNode f |
f.flowsTo(i.getRender()) and
this = f.getParameter(0).getACall().getArgument(0)
)
}
}
/**
* A regexp replacement involving an HTML meta-character, viewed as a sanitizer for
* XSS vulnerabilities.
*
* The XSS queries do not attempt to reason about correctness or completeness of sanitizers,
* so any such replacement stops taint propagation.
*/
private class MetacharEscapeSanitizer extends Sanitizer, Shared::MetacharEscapeSanitizer { }
}
/** Provides classes and predicates for the reflected XSS query. */
module ReflectedXss {
/** A data flow source for reflected XSS vulnerabilities. */
abstract class Source extends Shared::Source { }
/** A data flow sink for reflected XSS vulnerabilities. */
abstract class Sink extends Shared::Sink { }
/** A sanitizer for reflected XSS vulnerabilities. */
abstract class Sanitizer extends Shared::Sanitizer { }
/**
* An expression that is sent as part of an HTTP response, considered as an XSS sink.
*
* We exclude cases where the route handler sets either an unknown content type or
* a content type that does not (case-insensitively) contain the string "html". This
* is to prevent us from flagging plain-text or JSON responses as vulnerable.
*/
private class HttpResponseSink extends Sink {
HttpResponseSink() {
exists(HTTP::ResponseSendArgument sendarg | sendarg = asExpr() |
forall(HTTP::HeaderDefinition hd |
hd = sendarg.getRouteHandler().getAResponseHeader("content-type")
|
exists(string tp | hd.defines("content-type", tp) | tp.toLowerCase().matches("%html%"))
)
)
}
}
/**
* A regexp replacement involving an HTML meta-character, viewed as a sanitizer for
* XSS vulnerabilities.
*
* The XSS queries do not attempt to reason about correctness or completeness of sanitizers,
* so any such replacement stops taint propagation.
*/
private class MetacharEscapeSanitizer extends Sanitizer, Shared::MetacharEscapeSanitizer { }
}
/** Provides classes and predicates for the stored XSS query. */
module StoredXss {
/** A data flow source for stored XSS vulnerabilities. */
abstract class Source extends Shared::Source { }
/** A data flow sink for stored XSS vulnerabilities. */
abstract class Sink extends Shared::Sink { }
/** A sanitizer for stored XSS vulnerabilities. */
abstract class Sanitizer extends Shared::Sanitizer { }
/** An arbitrary XSS sink, considered as a flow sink for stored XSS. */
private class AnySink extends Sink { AnySink() { this instanceof Shared::Sink } }
/**
* A regexp replacement involving an HTML meta-character, viewed as a sanitizer for
* XSS vulnerabilities.
*
* The XSS queries do not attempt to reason about correctness or completeness of sanitizers,
* so any such replacement stops taint propagation.
*/
private class MetacharEscapeSanitizer extends Sanitizer, Shared::MetacharEscapeSanitizer { }
}

1
javascript/ql/test/library-tests/InterProceduralFlow/TaintTracking.expected
View File

@@ -50,6 +50,7 @@
| tst.js:2:17:2:22 | "src1" | tst.js:4:15:4:29 | RegExp(source1) |
| tst.js:2:17:2:22 | "src1" | tst.js:5:15:5:33 | new String(source1) |
| tst.js:2:17:2:22 | "src1" | tst.js:6:15:6:33 | new String(source1) |
| tst.js:2:17:2:22 | "src1" | tst.js:11:17:11:20 | m[0] |
| tst.js:2:17:2:22 | "src1" | tst.js:14:15:14:32 | decodeURI(source1) |
| tst.js:2:17:2:22 | "src1" | tst.js:15:15:15:41 | decodeU ... ource1) |
| tst.js:2:17:2:22 | "src1" | tst.js:16:15:16:32 | encodeURI(source1) |

394
javascript/ql/test/query-tests/Security/CWE-079/StoredXss.expected
View File

@@ -1,229 +1,4 @@
nodes
| ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id |
| ReflectedXss.js:8:33:8:45 | req.params.id |
| addEventListener.js:1:43:1:47 | event |
| addEventListener.js:2:20:2:24 | event |
| addEventListener.js:2:20:2:29 | event.data |
| etherpad.js:9:5:9:53 | response |
| etherpad.js:9:16:9:30 | req.query.jsonp |
| etherpad.js:9:16:9:36 | req.que ... p + "(" |
| etherpad.js:9:16:9:47 | req.que ... esponse |
| etherpad.js:9:16:9:53 | req.que ... e + ")" |
| etherpad.js:11:3:11:3 | response |
| etherpad.js:11:12:11:19 | response |
| formatting.js:4:9:4:29 | evil |
| formatting.js:4:16:4:29 | req.query.evil |
| formatting.js:6:14:6:47 | util.fo ... , evil) |
| formatting.js:6:43:6:46 | evil |
| formatting.js:7:14:7:53 | require ... , evil) |
| formatting.js:7:49:7:52 | evil |
| jquery.js:2:7:2:40 | tainted |
| jquery.js:2:17:2:33 | document.location |
| jquery.js:2:17:2:40 | documen ... .search |
| jquery.js:4:5:4:11 | tainted |
| jquery.js:7:5:7:26 | "<div i ... tainted |
| jquery.js:7:5:7:34 | "<div i ... + "\\">" |
| jquery.js:7:20:7:26 | tainted |
| jquery.js:8:18:8:34 | "XSS: " + tainted |
| jquery.js:8:28:8:34 | tainted |
| nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
| nodemailer.js:13:50:13:66 | req.query.message |
| partial.js:9:25:9:25 | x |
| partial.js:10:14:10:14 | x |
| partial.js:10:14:10:18 | x + y |
| partial.js:13:42:13:48 | req.url |
| partial.js:18:25:18:25 | x |
| partial.js:19:14:19:14 | x |
| partial.js:19:14:19:18 | x + y |
| partial.js:22:51:22:57 | req.url |
| partial.js:27:25:27:25 | x |
| partial.js:28:14:28:14 | x |
| partial.js:28:14:28:18 | x + y |
| partial.js:31:47:31:53 | req.url |
| partial.js:36:25:36:25 | x |
| partial.js:37:14:37:14 | x |
| partial.js:37:14:37:18 | x + y |
| partial.js:40:43:40:49 | req.url |
| promises.js:5:3:5:59 | new Pro ... .data)) |
| promises.js:5:44:5:57 | req.query.data |
| promises.js:6:11:6:11 | x |
| promises.js:6:11:6:11 | x |
| promises.js:6:25:6:25 | x |
| promises.js:6:25:6:25 | x |
| react-native.js:7:7:7:33 | tainted |
| react-native.js:7:17:7:33 | req.param("code") |
| react-native.js:8:18:8:24 | tainted |
| react-native.js:9:27:9:33 | tainted |
| stored-xss.js:2:39:2:55 | document.location |
| stored-xss.js:2:39:2:62 | documen ... .search |
| stored-xss.js:3:35:3:51 | document.location |
| stored-xss.js:3:35:3:58 | documen ... .search |
| stored-xss.js:5:20:5:52 | session ... ssion') |
| stored-xss.js:8:20:8:48 | localSt ... local') |
| string-manipulations.js:3:16:3:32 | document.location |
| string-manipulations.js:4:16:4:32 | document.location |
| string-manipulations.js:4:16:4:37 | documen ... on.href |
| string-manipulations.js:5:16:5:32 | document.location |
| string-manipulations.js:5:16:5:37 | documen ... on.href |
| string-manipulations.js:5:16:5:47 | documen ... lueOf() |
| string-manipulations.js:6:16:6:32 | document.location |
| string-manipulations.js:6:16:6:37 | documen ... on.href |
| string-manipulations.js:6:16:6:43 | documen ... f.sup() |
| string-manipulations.js:7:16:7:32 | document.location |
| string-manipulations.js:7:16:7:37 | documen ... on.href |
| string-manipulations.js:7:16:7:51 | documen ... rCase() |
| string-manipulations.js:8:16:8:32 | document.location |
| string-manipulations.js:8:16:8:37 | documen ... on.href |
| string-manipulations.js:8:16:8:48 | documen ... mLeft() |
| string-manipulations.js:9:16:9:58 | String. ... n.href) |
| string-manipulations.js:9:36:9:52 | document.location |
| string-manipulations.js:9:36:9:57 | documen ... on.href |
| string-manipulations.js:10:16:10:45 | String( ... n.href) |
| string-manipulations.js:10:23:10:39 | document.location |
| string-manipulations.js:10:23:10:44 | documen ... on.href |
| translate.js:6:7:6:39 | target |
| translate.js:6:16:6:32 | document.location |
| translate.js:6:16:6:39 | documen ... .search |
| translate.js:7:42:7:47 | target |
| translate.js:7:42:7:60 | target.substring(1) |
| translate.js:9:27:9:50 | searchP ... 'term') |
| tst2.js:6:7:6:30 | p |
| tst2.js:6:7:6:30 | r |
| tst2.js:6:9:6:9 | p |
| tst2.js:6:12:6:15 | q: r |
| tst2.js:7:12:7:12 | p |
| tst2.js:8:12:8:12 | r |
| tst.js:2:7:2:39 | target |
| tst.js:2:16:2:32 | document.location |
| tst.js:2:16:2:39 | documen ... .search |
| tst.js:5:18:5:23 | target |
| tst.js:8:18:8:114 | "<OPTIO ... t=")+8) |
| tst.js:8:18:8:126 | "<OPTIO ... PTION>" |
| tst.js:8:37:8:53 | document.location |
| tst.js:8:37:8:58 | documen ... on.href |
| tst.js:8:37:8:114 | documen ... t=")+8) |
| tst.js:12:5:12:33 | '<div s ... target |
| tst.js:12:5:12:42 | '<div s ... 'px">' |
| tst.js:12:28:12:33 | target |
| tst.js:19:25:19:41 | document.location |
| tst.js:20:18:20:35 | params.get('name') |
| tst.js:23:42:23:47 | target |
| tst.js:23:42:23:60 | target.substring(1) |
| tst.js:24:18:24:41 | searchP ... 'name') |
| tst.js:27:14:27:19 | target |
| tst.js:29:18:29:23 | target |
| tst.js:31:5:31:21 | document.location |
| tst.js:31:5:31:28 | documen ... .search |
| tst.js:34:10:34:26 | document.location |
| tst.js:34:10:34:33 | documen ... .search |
| tst.js:37:16:37:20 | bar() |
| tst.js:43:16:43:44 | baz(doc ... search) |
| tst.js:43:20:43:36 | document.location |
| tst.js:43:20:43:43 | documen ... .search |
| tst.js:49:16:49:45 | wrap(do ... search) |
| tst.js:49:21:49:37 | document.location |
| tst.js:49:21:49:44 | documen ... .search |
| tst.js:57:16:57:45 | chop(do ... search) |
| tst.js:57:21:57:37 | document.location |
| tst.js:57:21:57:44 | documen ... .search |
| tst.js:59:16:59:45 | chop(do ... search) |
| tst.js:59:21:59:37 | document.location |
| tst.js:59:21:59:44 | documen ... .search |
| tst.js:61:16:61:32 | wrap(chop(bar())) |
| tst.js:61:21:61:31 | chop(bar()) |
| tst.js:61:26:61:30 | bar() |
| tst.js:63:34:63:34 | s |
| tst.js:65:18:65:18 | s |
| tst.js:67:25:67:41 | document.location |
| tst.js:67:25:67:48 | documen ... .search |
| tst.js:68:25:68:41 | document.location |
| tst.js:68:25:68:48 | documen ... .search |
| tst.js:71:16:71:20 | bar() |
| tst.js:73:1:73:27 | [,docum ... search] |
| tst.js:73:3:73:19 | document.location |
| tst.js:73:3:73:26 | documen ... .search |
| tst.js:73:46:73:46 | x |
| tst.js:74:7:74:7 | x |
| tst.js:76:20:76:20 | x |
| tst.js:80:49:80:65 | document.location |
| tst.js:80:49:80:72 | documen ... .search |
| tst.js:84:26:84:42 | document.location |
| tst.js:84:26:84:49 | documen ... .search |
| tst.js:85:25:85:41 | document.location |
| tst.js:85:25:85:48 | documen ... .search |
| tst.js:87:33:87:49 | document.location |
| tst.js:87:33:87:56 | documen ... .search |
| tst.js:88:32:88:48 | document.location |
| tst.js:88:32:88:55 | documen ... .search |
| tst.js:93:39:93:55 | document.location |
| tst.js:93:39:93:62 | documen ... .search |
| tst.js:99:30:99:46 | document.location |
| tst.js:99:30:99:53 | documen ... .search |
| tst.js:105:25:105:41 | document.location |
| tst.js:105:25:105:48 | documen ... .search |
| tst.js:110:7:110:44 | v |
| tst.js:110:11:110:27 | document.location |
| tst.js:110:11:110:34 | documen ... .search |
| tst.js:110:11:110:44 | documen ... bstr(1) |
| tst.js:113:18:113:18 | v |
| tst.js:145:29:145:43 | window.location |
| tst.js:145:29:145:50 | window. ... .search |
| tst.js:148:29:148:29 | v |
| tst.js:148:49:148:49 | v |
| tst.js:152:29:152:46 | xssSourceService() |
| tst.js:155:40:155:54 | window.location |
| tst.js:155:40:155:61 | window. ... .search |
| tst.js:174:9:174:41 | target |
| tst.js:174:18:174:34 | document.location |
| tst.js:174:18:174:41 | documen ... .search |
| tst.js:177:28:177:33 | target |
| tst.js:181:9:181:42 | tainted |
| tst.js:181:19:181:35 | document.location |
| tst.js:181:19:181:42 | documen ... .search |
| tst.js:183:31:183:37 | tainted |
| tst.js:185:42:185:48 | tainted |
| tst.js:186:33:186:39 | tainted |
| tst.js:188:54:188:60 | tainted |
| tst.js:189:45:189:51 | tainted |
| tst.js:194:9:194:42 | tainted |
| tst.js:194:19:194:35 | document.location |
| tst.js:194:19:194:42 | documen ... .search |
| tst.js:196:67:196:73 | tainted |
| tst.js:197:67:197:73 | tainted |
| tst.js:200:20:200:19 | tainted |
| tst.js:201:35:201:41 | tainted |
| tst.js:203:27:203:26 | tainted |
| tst.js:203:46:203:52 | tainted |
| tst.js:204:38:204:44 | tainted |
| tst.js:205:35:205:41 | tainted |
| tst.js:209:28:209:46 | this.state.tainted1 |
| tst.js:210:28:210:46 | this.state.tainted2 |
| tst.js:211:28:211:46 | this.state.tainted3 |
| tst.js:215:32:215:49 | prevState.tainted4 |
| tst.js:222:28:222:46 | this.props.tainted1 |
| tst.js:223:28:223:46 | this.props.tainted2 |
| tst.js:224:28:224:46 | this.props.tainted3 |
| tst.js:228:32:228:49 | prevProps.tainted4 |
| tst.js:233:35:233:41 | tainted |
| tst.js:235:20:235:26 | tainted |
| tst.js:237:23:237:29 | tainted |
| tst.js:238:23:238:29 | tainted |
| tst.js:244:39:244:55 | props.propTainted |
| tst.js:248:60:248:82 | this.st ... Tainted |
| tst.js:252:23:252:29 | tainted |
| tst.js:256:7:256:17 | window.name |
| tst.js:257:7:257:10 | name |
| tst.js:261:11:261:21 | window.name |
| tst.js:272:9:272:32 | loc3 |
| tst.js:272:16:272:32 | document.location |
| tst.js:275:7:275:10 | loc3 |
| tst.js:277:22:277:29 | location |
| winjs.js:2:7:2:53 | tainted |
| winjs.js:2:17:2:33 | document.location |
| winjs.js:2:17:2:40 | documen ... .search |
| winjs.js:2:17:2:53 | documen ... ring(1) |
| winjs.js:3:43:3:49 | tainted |
| winjs.js:4:43:4:49 | tainted |
| xss-through-filenames.js:7:43:7:48 | files1 |
| xss-through-filenames.js:8:18:8:23 | files1 |
| xss-through-filenames.js:25:43:25:48 | files1 |
@@ -238,175 +13,6 @@ nodes
| xss-through-filenames.js:35:29:35:34 | files2 |
| xss-through-filenames.js:37:19:37:24 | files3 |
edges
| ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id |
| addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:24 | event |
| addEventListener.js:2:20:2:24 | event | addEventListener.js:2:20:2:29 | event.data |
| etherpad.js:9:5:9:53 | response | etherpad.js:11:3:11:3 | response |
| etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:16:9:36 | req.que ... p + "(" |
| etherpad.js:9:16:9:36 | req.que ... p + "(" | etherpad.js:9:16:9:47 | req.que ... esponse |
| etherpad.js:9:16:9:47 | req.que ... esponse | etherpad.js:9:16:9:53 | req.que ... e + ")" |
| etherpad.js:9:16:9:53 | req.que ... e + ")" | etherpad.js:9:5:9:53 | response |
| etherpad.js:11:3:11:3 | response | etherpad.js:11:12:11:19 | response |
| formatting.js:4:9:4:29 | evil | formatting.js:6:43:6:46 | evil |
| formatting.js:4:9:4:29 | evil | formatting.js:7:49:7:52 | evil |
| formatting.js:4:16:4:29 | req.query.evil | formatting.js:4:9:4:29 | evil |
| formatting.js:6:43:6:46 | evil | formatting.js:6:14:6:47 | util.fo ... , evil) |
| formatting.js:7:49:7:52 | evil | formatting.js:7:14:7:53 | require ... , evil) |
| jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
| jquery.js:2:7:2:40 | tainted | jquery.js:7:20:7:26 | tainted |
| jquery.js:2:7:2:40 | tainted | jquery.js:8:28:8:34 | tainted |
| jquery.js:2:17:2:33 | document.location | jquery.js:2:17:2:40 | documen ... .search |
| jquery.js:2:17:2:40 | documen ... .search | jquery.js:2:7:2:40 | tainted |
| jquery.js:7:5:7:26 | "<div i ... tainted | jquery.js:7:5:7:34 | "<div i ... + "\\">" |
| jquery.js:7:20:7:26 | tainted | jquery.js:7:5:7:26 | "<div i ... tainted |
| jquery.js:8:28:8:34 | tainted | jquery.js:8:18:8:34 | "XSS: " + tainted |
| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
| partial.js:9:25:9:25 | x | partial.js:10:14:10:14 | x |
| partial.js:10:14:10:14 | x | partial.js:10:14:10:18 | x + y |
| partial.js:13:42:13:48 | req.url | partial.js:9:25:9:25 | x |
| partial.js:18:25:18:25 | x | partial.js:19:14:19:14 | x |
| partial.js:19:14:19:14 | x | partial.js:19:14:19:18 | x + y |
| partial.js:22:51:22:57 | req.url | partial.js:18:25:18:25 | x |
| partial.js:27:25:27:25 | x | partial.js:28:14:28:14 | x |
| partial.js:28:14:28:14 | x | partial.js:28:14:28:18 | x + y |
| partial.js:31:47:31:53 | req.url | partial.js:27:25:27:25 | x |
| partial.js:36:25:36:25 | x | partial.js:37:14:37:14 | x |
| partial.js:37:14:37:14 | x | partial.js:37:14:37:18 | x + y |
| partial.js:40:43:40:49 | req.url | partial.js:36:25:36:25 | x |
| promises.js:5:3:5:59 | new Pro ... .data)) | promises.js:6:11:6:11 | x |
| promises.js:5:44:5:57 | req.query.data | promises.js:5:3:5:59 | new Pro ... .data)) |
| promises.js:5:44:5:57 | req.query.data | promises.js:6:11:6:11 | x |
| promises.js:6:11:6:11 | x | promises.js:6:25:6:25 | x |
| promises.js:6:11:6:11 | x | promises.js:6:25:6:25 | x |
| react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted |
| react-native.js:7:7:7:33 | tainted | react-native.js:9:27:9:33 | tainted |
| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted |
| stored-xss.js:2:39:2:55 | document.location | stored-xss.js:2:39:2:62 | documen ... .search |
| stored-xss.js:2:39:2:62 | documen ... .search | stored-xss.js:5:20:5:52 | session ... ssion') |
| stored-xss.js:3:35:3:51 | document.location | stored-xss.js:3:35:3:58 | documen ... .search |
| stored-xss.js:3:35:3:58 | documen ... .search | stored-xss.js:8:20:8:48 | localSt ... local') |
| string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href |
| string-manipulations.js:5:16:5:32 | document.location | string-manipulations.js:5:16:5:37 | documen ... on.href |
| string-manipulations.js:5:16:5:37 | documen ... on.href | string-manipulations.js:5:16:5:47 | documen ... lueOf() |
| string-manipulations.js:6:16:6:32 | document.location | string-manipulations.js:6:16:6:37 | documen ... on.href |
| string-manipulations.js:6:16:6:37 | documen ... on.href | string-manipulations.js:6:16:6:43 | documen ... f.sup() |
| string-manipulations.js:7:16:7:32 | document.location | string-manipulations.js:7:16:7:37 | documen ... on.href |
| string-manipulations.js:7:16:7:37 | documen ... on.href | string-manipulations.js:7:16:7:51 | documen ... rCase() |
| string-manipulations.js:8:16:8:32 | document.location | string-manipulations.js:8:16:8:37 | documen ... on.href |
| string-manipulations.js:8:16:8:37 | documen ... on.href | string-manipulations.js:8:16:8:48 | documen ... mLeft() |
| string-manipulations.js:9:36:9:52 | document.location | string-manipulations.js:9:36:9:57 | documen ... on.href |
| string-manipulations.js:9:36:9:57 | documen ... on.href | string-manipulations.js:9:16:9:58 | String. ... n.href) |
| string-manipulations.js:10:23:10:39 | document.location | string-manipulations.js:10:23:10:44 | documen ... on.href |
| string-manipulations.js:10:23:10:44 | documen ... on.href | string-manipulations.js:10:16:10:45 | String( ... n.href) |
| translate.js:6:7:6:39 | target | translate.js:7:42:7:47 | target |
| translate.js:6:16:6:32 | document.location | translate.js:6:16:6:39 | documen ... .search |
| translate.js:6:16:6:39 | documen ... .search | translate.js:6:7:6:39 | target |
| translate.js:7:42:7:47 | target | translate.js:7:42:7:60 | target.substring(1) |
| translate.js:7:42:7:60 | target.substring(1) | translate.js:9:27:9:50 | searchP ... 'term') |
| tst2.js:6:7:6:30 | p | tst2.js:7:12:7:12 | p |
| tst2.js:6:7:6:30 | r | tst2.js:8:12:8:12 | r |
| tst2.js:6:9:6:9 | p | tst2.js:6:7:6:30 | p |
| tst2.js:6:12:6:15 | q: r | tst2.js:6:7:6:30 | r |
| tst.js:2:7:2:39 | target | tst.js:5:18:5:23 | target |
| tst.js:2:7:2:39 | target | tst.js:12:28:12:33 | target |
| tst.js:2:7:2:39 | target | tst.js:23:42:23:47 | target |
| tst.js:2:16:2:32 | document.location | tst.js:2:16:2:39 | documen ... .search |
| tst.js:2:16:2:39 | documen ... .search | tst.js:2:7:2:39 | target |
| tst.js:8:18:8:114 | "<OPTIO ... t=")+8) | tst.js:8:18:8:126 | "<OPTIO ... PTION>" |
| tst.js:8:37:8:53 | document.location | tst.js:8:37:8:58 | documen ... on.href |
| tst.js:8:37:8:58 | documen ... on.href | tst.js:8:37:8:114 | documen ... t=")+8) |
| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:114 | "<OPTIO ... t=")+8) |
| tst.js:12:5:12:33 | '<div s ... target | tst.js:12:5:12:42 | '<div s ... 'px">' |
| tst.js:12:28:12:33 | target | tst.js:12:5:12:33 | '<div s ... target |
| tst.js:19:25:19:41 | document.location | tst.js:20:18:20:35 | params.get('name') |
| tst.js:23:42:23:47 | target | tst.js:23:42:23:60 | target.substring(1) |
| tst.js:23:42:23:60 | target.substring(1) | tst.js:24:18:24:41 | searchP ... 'name') |
| tst.js:27:14:27:19 | target | tst.js:29:18:29:23 | target |
| tst.js:31:5:31:21 | document.location | tst.js:31:5:31:28 | documen ... .search |
| tst.js:31:5:31:28 | documen ... .search | tst.js:27:14:27:19 | target |
| tst.js:34:10:34:26 | document.location | tst.js:34:10:34:33 | documen ... .search |
| tst.js:34:10:34:33 | documen ... .search | tst.js:37:16:37:20 | bar() |
| tst.js:34:10:34:33 | documen ... .search | tst.js:61:26:61:30 | bar() |
| tst.js:34:10:34:33 | documen ... .search | tst.js:71:16:71:20 | bar() |
| tst.js:43:20:43:36 | document.location | tst.js:43:20:43:43 | documen ... .search |
| tst.js:43:20:43:43 | documen ... .search | tst.js:43:16:43:44 | baz(doc ... search) |
| tst.js:49:21:49:37 | document.location | tst.js:49:21:49:44 | documen ... .search |
| tst.js:49:21:49:44 | documen ... .search | tst.js:49:16:49:45 | wrap(do ... search) |
| tst.js:57:21:57:37 | document.location | tst.js:57:21:57:44 | documen ... .search |
| tst.js:57:21:57:44 | documen ... .search | tst.js:57:16:57:45 | chop(do ... search) |
| tst.js:59:21:59:37 | document.location | tst.js:59:21:59:44 | documen ... .search |
| tst.js:59:21:59:44 | documen ... .search | tst.js:59:16:59:45 | chop(do ... search) |
| tst.js:61:21:61:31 | chop(bar()) | tst.js:61:16:61:32 | wrap(chop(bar())) |
| tst.js:61:26:61:30 | bar() | tst.js:61:21:61:31 | chop(bar()) |
| tst.js:63:34:63:34 | s | tst.js:65:18:65:18 | s |
| tst.js:67:25:67:41 | document.location | tst.js:67:25:67:48 | documen ... .search |
| tst.js:67:25:67:48 | documen ... .search | tst.js:63:34:63:34 | s |
| tst.js:68:25:68:41 | document.location | tst.js:68:25:68:48 | documen ... .search |
| tst.js:68:25:68:48 | documen ... .search | tst.js:63:34:63:34 | s |
| tst.js:73:1:73:27 | [,docum ... search] | tst.js:73:46:73:46 | x |
| tst.js:73:3:73:19 | document.location | tst.js:73:3:73:26 | documen ... .search |
| tst.js:73:3:73:26 | documen ... .search | tst.js:73:1:73:27 | [,docum ... search] |
| tst.js:73:46:73:46 | x | tst.js:74:7:74:7 | x |
| tst.js:74:7:74:7 | x | tst.js:76:20:76:20 | x |
| tst.js:80:49:80:65 | document.location | tst.js:80:49:80:72 | documen ... .search |
| tst.js:84:26:84:42 | document.location | tst.js:84:26:84:49 | documen ... .search |
| tst.js:85:25:85:41 | document.location | tst.js:85:25:85:48 | documen ... .search |
| tst.js:87:33:87:49 | document.location | tst.js:87:33:87:56 | documen ... .search |
| tst.js:88:32:88:48 | document.location | tst.js:88:32:88:55 | documen ... .search |
| tst.js:93:39:93:55 | document.location | tst.js:93:39:93:62 | documen ... .search |
| tst.js:99:30:99:46 | document.location | tst.js:99:30:99:53 | documen ... .search |
| tst.js:105:25:105:41 | document.location | tst.js:105:25:105:48 | documen ... .search |
| tst.js:110:7:110:44 | v | tst.js:113:18:113:18 | v |
| tst.js:110:11:110:27 | document.location | tst.js:110:11:110:34 | documen ... .search |
| tst.js:110:11:110:34 | documen ... .search | tst.js:110:11:110:44 | documen ... bstr(1) |
| tst.js:110:11:110:44 | documen ... bstr(1) | tst.js:110:7:110:44 | v |
| tst.js:145:29:145:43 | window.location | tst.js:145:29:145:50 | window. ... .search |
| tst.js:145:29:145:50 | window. ... .search | tst.js:148:29:148:29 | v |
| tst.js:148:29:148:29 | v | tst.js:148:49:148:49 | v |
| tst.js:155:40:155:54 | window.location | tst.js:155:40:155:61 | window. ... .search |
| tst.js:155:40:155:61 | window. ... .search | tst.js:152:29:152:46 | xssSourceService() |
| tst.js:174:9:174:41 | target | tst.js:177:28:177:33 | target |
| tst.js:174:18:174:34 | document.location | tst.js:174:18:174:41 | documen ... .search |
| tst.js:174:18:174:41 | documen ... .search | tst.js:174:9:174:41 | target |
| tst.js:181:9:181:42 | tainted | tst.js:183:31:183:37 | tainted |
| tst.js:181:9:181:42 | tainted | tst.js:185:42:185:48 | tainted |
| tst.js:181:9:181:42 | tainted | tst.js:186:33:186:39 | tainted |
| tst.js:181:9:181:42 | tainted | tst.js:188:54:188:60 | tainted |
| tst.js:181:9:181:42 | tainted | tst.js:189:45:189:51 | tainted |
| tst.js:181:19:181:35 | document.location | tst.js:181:19:181:42 | documen ... .search |
| tst.js:181:19:181:42 | documen ... .search | tst.js:181:9:181:42 | tainted |
| tst.js:194:9:194:42 | tainted | tst.js:196:67:196:73 | tainted |
| tst.js:194:9:194:42 | tainted | tst.js:197:67:197:73 | tainted |
| tst.js:194:9:194:42 | tainted | tst.js:200:20:200:19 | tainted |
| tst.js:194:9:194:42 | tainted | tst.js:203:27:203:26 | tainted |
| tst.js:194:9:194:42 | tainted | tst.js:233:35:233:41 | tainted |
| tst.js:194:9:194:42 | tainted | tst.js:235:20:235:26 | tainted |
| tst.js:194:9:194:42 | tainted | tst.js:237:23:237:29 | tainted |
| tst.js:194:9:194:42 | tainted | tst.js:238:23:238:29 | tainted |
| tst.js:194:9:194:42 | tainted | tst.js:252:23:252:29 | tainted |
| tst.js:194:19:194:35 | document.location | tst.js:194:19:194:42 | documen ... .search |
| tst.js:194:19:194:42 | documen ... .search | tst.js:194:9:194:42 | tainted |
| tst.js:200:20:200:19 | tainted | tst.js:201:35:201:41 | tainted |
| tst.js:200:20:200:19 | tainted | tst.js:204:38:204:44 | tainted |
| tst.js:200:20:200:19 | tainted | tst.js:205:35:205:41 | tainted |
| tst.js:201:35:201:41 | tainted | tst.js:209:28:209:46 | this.state.tainted1 |
| tst.js:203:27:203:26 | tainted | tst.js:203:46:203:52 | tainted |
| tst.js:203:46:203:52 | tainted | tst.js:210:28:210:46 | this.state.tainted2 |
| tst.js:204:38:204:44 | tainted | tst.js:211:28:211:46 | this.state.tainted3 |
| tst.js:205:35:205:41 | tainted | tst.js:215:32:215:49 | prevState.tainted4 |
| tst.js:233:35:233:41 | tainted | tst.js:222:28:222:46 | this.props.tainted1 |
| tst.js:235:20:235:26 | tainted | tst.js:223:28:223:46 | this.props.tainted2 |
| tst.js:237:23:237:29 | tainted | tst.js:224:28:224:46 | this.props.tainted3 |
| tst.js:238:23:238:29 | tainted | tst.js:228:32:228:49 | prevProps.tainted4 |
| tst.js:244:39:244:55 | props.propTainted | tst.js:248:60:248:82 | this.st ... Tainted |
| tst.js:252:23:252:29 | tainted | tst.js:244:39:244:55 | props.propTainted |
| tst.js:272:9:272:32 | loc3 | tst.js:275:7:275:10 | loc3 |
| tst.js:272:16:272:32 | document.location | tst.js:272:9:272:32 | loc3 |
| winjs.js:2:7:2:53 | tainted | winjs.js:3:43:3:49 | tainted |
| winjs.js:2:7:2:53 | tainted | winjs.js:4:43:4:49 | tainted |
| winjs.js:2:17:2:33 | document.location | winjs.js:2:17:2:40 | documen ... .search |
| winjs.js:2:17:2:40 | documen ... .search | winjs.js:2:17:2:53 | documen ... ring(1) |
| winjs.js:2:17:2:53 | documen ... ring(1) | winjs.js:2:7:2:53 | tainted |
| xss-through-filenames.js:7:43:7:48 | files1 | xss-through-filenames.js:8:18:8:23 | files1 |
| xss-through-filenames.js:25:43:25:48 | files1 | xss-through-filenames.js:26:19:26:24 | files1 |
| xss-through-filenames.js:25:43:25:48 | files1 | xss-through-filenames.js:30:34:30:37 | file |

19
javascript/ql/test/query-tests/Security/CWE-079/sanitiser.js Normal file
View File

@@ -0,0 +1,19 @@
function escapeHtml(s) {
return s.toString()
.replace(/&/g, '&amp;')
.replace(/</g, '&lt;')
.replace(/>/g, '&gt;');
}
function escapeAttr(s) {
return s.toString()
.replace(/'/g, '%22')
.replace(/"/g, '%27');
}
function test() {
var tainted = window.name;
var elt = document.createElement();
elt.innerHTML = "<a href=\"" + escapeAttr(tainted) + "\">" + escapeHtml(tainted) + "</a>"; // OK
elt.innerHTML = "<div>" + escapeAttr(tainted) + "</div>"; // NOT OK, but not flagged
}