hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 03:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

JavaScript: Make TargetBlank only highlight the first line of the link.

Browse Source 
Otherwise alerts for multi-line `<a>` elements end up looking very red.

I also took the opportunity to improve the tests slightly.
This commit is contained in:
Max Schaefer
2018-11-20 12:51:37 +00:00
parent dd4c9654f2
commit c1690a69e5
3 changed files with 13 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
javascript/ql/src/DOM/TargetBlank.ql
View File

@@ -13,6 +13,7 @@
import javascript
import semmle.javascript.frameworks.Templating
import semmle.javascript.RestrictedLocations
/**
* Holds if the href attribute contains a host that we cannot determine statically.
@@ -53,4 +54,4 @@ where // `e` is a link that opens in a new browsing context (that is, it has `ta
not exists (DOM::AttributeDefinition attr | attr = e.getAnAttribute() |
not exists(attr.getName())
)
select e, "External links without noopener/noreferrer are a potential security risk."
select (FirstLineOf)e, "External links without noopener/noreferrer are a potential security risk."