add sources and sinks for typeahead.js

2025-12-20 18:56:32 +01:00 · 2019-11-21 13:31:05 +01:00
parent 8f3998915b
commit c7235bb372
10 changed files with 978 additions and 0 deletions
--- a/javascript/ql/src/javascript.qll
+++ b/javascript/ql/src/javascript.qll
@@ -75,6 +75,7 @@ import semmle.javascript.frameworks.DigitalOcean
 import semmle.javascript.frameworks.Electron
 import semmle.javascript.frameworks.Files
 import semmle.javascript.frameworks.Firebase
+import semmle.javascript.frameworks.typeahead
 import semmle.javascript.frameworks.jQuery
 import semmle.javascript.frameworks.LodashUnderscore
 import semmle.javascript.frameworks.Logging
--- a/javascript/ql/src/semmle/javascript/frameworks/typeahead.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/typeahead.qll
@@ -0,0 +1,134 @@
+/**
+ * Provides classes for working with typeahead.js code (https://www.npmjs.com/package/typeahead.js).
+ */
+
+import javascript
+
+module Typeahead {
+  /**
+   * A reference to the Bloodhound class, which is a utility-class for generating auto-complete suggestions.
+   * Sometimes these suggestions can originate from remote sources.
+   */
+  class Bloodhound extends DataFlow::SourceNode {
+    Bloodhound() {
+      this = DataFlow::moduleImport("typeahead.js/dist/bloodhound.js")
+      or
+      this.accessesGlobal("Bloodhound")
+    }
+  }
+
+  /**
+   * An instance of the Bloodhound class.
+   */
+  class BloodhoundInstance extends DataFlow::NewNode {
+    BloodhoundInstance() { this = any(Bloodhound b).getAnInstantiation() }
+  }
+
+  /**
+   * An instance of of the Bloodhound class that is used to fetch data from a remote server.
+   */
+  class RemoteBloodhoundClientRequest extends ClientRequest::Range, BloodhoundInstance {
+    string optionName;
+    DataFlow::ValueNode option;
+
+    RemoteBloodhoundClientRequest() {
+      (optionName = "remote" or optionName = "prefetch") and
+      option = this.getOptionArgument(0, optionName)
+    }
+
+    /**
+     * Gets the URL for this Bloodhound instance.
+     * The Bloodhound API specifies that the "remote" and "prefetch" options are either strings,
+     * or an object containing an "url" property.
+     */
+    override DataFlow::Node getUrl() {
+      if exists(option.getALocalSource().getAPropertyWrite("url"))
+      then result = option.getALocalSource().getAPropertyWrite("url").getRhs()
+      else result = option
+    }
+
+    override DataFlow::Node getHost() { none() }
+
+    override DataFlow::Node getADataNode() { none() }
+
+    override DataFlow::Node getAResponseDataNode(string responseType, boolean promise) {
+      responseType = "json" and
+      promise = false and
+      /*
+       * exists(TypeAheadSuggestionTaintStep step |
+       *          (
+       *            this.flowsTo(step)
+       *            or
+       *            this.getAMethodCall("ttAdapter").flowsTo(step)
+       *          ) and
+       *          step.step(_, result)
+       *        )
+       *        or
+       */
+
+      // the first occurrence of the responseDataNode can be very disconnected from the instantiation of Bloodhound
+      // So I do this trick to get a taint-path that is readable to a developer.
+      // The above (possibly with added type-tracking) would be the correct way, but which gives unhelpful feedback to developers.
+      result = this
+    }
+  }
+
+  /**
+   * A function that generates suggestions to typeahead.
+   */
+  class TypeaheadSuggestionFunction extends DataFlow::FunctionNode {
+    DataFlow::CallNode typeaheadCall;
+
+    TypeaheadSuggestionFunction() {
+      typeaheadCall = JQuery::objectRef().getAMethodCall("typeahead") and
+      this = typeaheadCall
+            .getOptionArgument(1, "templates")
+            .getALocalSource()
+            .getAPropertySource("suggestion")
+            .getAFunctionValue()
+    }
+
+    /**
+     * Gets the call to typeahead.js where this suggestion function is used.
+     */
+    DataFlow::CallNode getTypeaheadCall() { result = typeaheadCall }
+  }
+
+  /**
+   * A taint step that models that the `source` in typeahead is used to determine the input to the suggestion function.
+   */
+  class TypeAheadSuggestionTaintStep extends TaintTracking::AdditionalTaintStep {
+    DataFlow::Node successor;
+    TypeaheadSuggestionFunction suggestionFunction;
+
+    TypeAheadSuggestionTaintStep() {
+      this = suggestionFunction.getTypeaheadCall().getOptionArgument(1, "source") and
+      successor = suggestionFunction.getParameter(0)
+    }
+
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      (
+        pred = this
+        or
+        pred = this.getAFunctionValue().getParameter(1).getACall().getAnArgument()
+      ) and
+      succ = successor
+    }
+  }
+
+  /**
+   * A taint step that models a call to `.ttAdapter()` on an instance of Bloodhound.
+   */
+  class BloodHoundAdapterStep extends TaintTracking::AdditionalTaintStep, BloodhoundInstance {
+    DataFlow::Node successor;
+
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      this.flowsTo(pred) and
+      exists(DataFlow::MethodCallNode call |
+        succ = call and
+        call.getReceiver() = pred and
+        call.getMethodName() = "ttAdapter"
+      )
+    }
+  }
+}
--- a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
@@ -95,6 +95,8 @@ module DomBasedXss {
        mcn.getMethodName() = m and
        this = mcn.getArgument(1)
      )
+      or
+      this = any(Typeahead::TypeaheadSuggestionFunction f).getAReturn()
    }
  }

--- a/javascript/ql/test/library-tests/frameworks/typeahead/test.expected
+++ b/javascript/ql/test/library-tests/frameworks/typeahead/test.expected
@@ -0,0 +1,8 @@
+url
+| tst.js:4:15:4:52 | '/api/d ... %QUERY' |
+| tst.js:8:16:8:29 | searchIndexUrl |
+response
+| json | false | tst.js:2:12:6:3 | new Blo ...   }\\n\\t}) |
+| json | false | tst.js:7:12:9:3 | new Blo ... Url\\n\\t}) |
+suggestionFunction
+| tst.js:15:25:17:4 | functio ... \\n\\t\\n\\t\\t\\t} |
--- a/javascript/ql/test/library-tests/frameworks/typeahead/test.ql
+++ b/javascript/ql/test/library-tests/frameworks/typeahead/test.ql
@@ -0,0 +1,13 @@
+import javascript
+
+query DataFlow::Node url() {
+   result = any(Typeahead::RemoteBloodhoundClientRequest r).getUrl()	
+}
+
+query DataFlow::Node response(string responseType, boolean promise) {
+   result = any(Typeahead::RemoteBloodhoundClientRequest r).getAResponseDataNode(responseType, promise)	
+}
+
+query DataFlow::Node suggestionFunction() {
+  result = any(Typeahead::TypeaheadSuggestionFunction t)	
+}
--- a/javascript/ql/test/library-tests/frameworks/typeahead/tst.js
+++ b/javascript/ql/test/library-tests/frameworks/typeahead/tst.js
@@ -0,0 +1,20 @@
+(function () {
+	var foo = new Bloodhound({
+	    remote: {
+	        url: '/api/destinations/search?text=%QUERY'
+	    }
+	});
+	var bar = new Bloodhound({
+	    prefetch: searchIndexUrl
+	});
+	
+	$('.typeahead').typeahead({}, {
+        name: 'prefetchedCities',
+        source: bar.ttAdapter(),
+        templates: {
+            suggestion: function (taintedParam) {
+	
+			},
+        }
+    });
+})();
--- a/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected
@@ -315,6 +315,14 @@ nodes
 | tst.js:285:59:285:65 | tainted |
 | tst.js:285:59:285:65 | tainted |
 | tst.js:285:59:285:65 | tainted |
+| typeahead.js:20:13:20:45 | target |
+| typeahead.js:20:22:20:38 | document.location |
+| typeahead.js:20:22:20:38 | document.location |
+| typeahead.js:20:22:20:45 | documen ... .search |
+| typeahead.js:21:12:21:17 | target |
+| typeahead.js:24:30:24:32 | val |
+| typeahead.js:25:18:25:20 | val |
+| typeahead.js:25:18:25:20 | val |
 | v-html.vue:2:8:2:23 | v-html=tainted |
 | v-html.vue:2:8:2:23 | v-html=tainted |
 | v-html.vue:6:42:6:58 | document.location |
@@ -604,6 +612,13 @@ edges
 | tst.js:282:19:282:29 | window.name | tst.js:282:9:282:29 | tainted |
 | tst.js:282:19:282:29 | window.name | tst.js:282:9:282:29 | tainted |
 | tst.js:285:59:285:65 | tainted | tst.js:285:59:285:65 | tainted |
+| typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target |
+| typeahead.js:20:22:20:38 | document.location | typeahead.js:20:22:20:45 | documen ... .search |
+| typeahead.js:20:22:20:38 | document.location | typeahead.js:20:22:20:45 | documen ... .search |
+| typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target |
+| typeahead.js:21:12:21:17 | target | typeahead.js:24:30:24:32 | val |
+| typeahead.js:24:30:24:32 | val | typeahead.js:25:18:25:20 | val |
+| typeahead.js:24:30:24:32 | val | typeahead.js:25:18:25:20 | val |
 | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
 | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
 | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
@@ -693,6 +708,7 @@ edges
 | tst.js:285:59:285:65 | tainted | tst.js:282:9:282:29 | tainted | tst.js:285:59:285:65 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:282:9:282:29 | tainted | user-provided value |
 | tst.js:285:59:285:65 | tainted | tst.js:282:19:282:29 | window.name | tst.js:285:59:285:65 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:282:19:282:29 | window.name | user-provided value |
 | tst.js:285:59:285:65 | tainted | tst.js:285:59:285:65 | tainted | tst.js:285:59:285:65 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:285:59:285:65 | tainted | user-provided value |
+| typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:38 | document.location | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:38 | document.location | user-provided value |
 | v-html.vue:2:8:2:23 | v-html=tainted | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | Cross-site scripting vulnerability due to $@. | v-html.vue:6:42:6:58 | document.location | user-provided value |
 | winjs.js:3:43:3:49 | tainted | winjs.js:2:17:2:33 | document.location | winjs.js:3:43:3:49 | tainted | Cross-site scripting vulnerability due to $@. | winjs.js:2:17:2:33 | document.location | user-provided value |
 | winjs.js:4:43:4:49 | tainted | winjs.js:2:17:2:33 | document.location | winjs.js:4:43:4:49 | tainted | Cross-site scripting vulnerability due to $@. | winjs.js:2:17:2:33 | document.location | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssWithAdditionalSources.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssWithAdditionalSources.expected
@@ -0,0 +1,730 @@
+nodes
+| addEventListener.js:1:43:1:47 | event |
+| addEventListener.js:1:43:1:47 | event |
+| addEventListener.js:2:20:2:24 | event |
+| addEventListener.js:2:20:2:29 | event.data |
+| addEventListener.js:2:20:2:29 | event.data |
+| addEventListener.js:5:43:5:48 | data |
+| addEventListener.js:5:43:5:48 | {data} |
+| addEventListener.js:5:43:5:48 | {data} |
+| addEventListener.js:5:44:5:47 | data |
+| addEventListener.js:6:20:6:23 | data |
+| addEventListener.js:6:20:6:23 | data |
+| addEventListener.js:10:21:10:25 | event |
+| addEventListener.js:10:21:10:25 | event |
+| addEventListener.js:12:24:12:28 | event |
+| addEventListener.js:12:24:12:33 | event.data |
+| addEventListener.js:12:24:12:33 | event.data |
+| jquery.js:2:7:2:40 | tainted |
+| jquery.js:2:17:2:33 | document.location |
+| jquery.js:2:17:2:33 | document.location |
+| jquery.js:2:17:2:40 | documen ... .search |
+| jquery.js:4:5:4:11 | tainted |
+| jquery.js:4:5:4:11 | tainted |
+| jquery.js:7:5:7:34 | "<div i ... + "\\">" |
+| jquery.js:7:5:7:34 | "<div i ... + "\\">" |
+| jquery.js:7:20:7:26 | tainted |
+| jquery.js:8:18:8:34 | "XSS: " + tainted |
+| jquery.js:8:18:8:34 | "XSS: " + tainted |
+| jquery.js:8:28:8:34 | tainted |
+| nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
+| nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
+| nodemailer.js:13:50:13:66 | req.query.message |
+| nodemailer.js:13:50:13:66 | req.query.message |
+| react-native.js:7:7:7:33 | tainted |
+| react-native.js:7:17:7:33 | req.param("code") |
+| react-native.js:7:17:7:33 | req.param("code") |
+| react-native.js:8:18:8:24 | tainted |
+| react-native.js:8:18:8:24 | tainted |
+| react-native.js:9:27:9:33 | tainted |
+| react-native.js:9:27:9:33 | tainted |
+| stored-xss.js:2:39:2:55 | document.location |
+| stored-xss.js:2:39:2:55 | document.location |
+| stored-xss.js:2:39:2:62 | documen ... .search |
+| stored-xss.js:3:35:3:51 | document.location |
+| stored-xss.js:3:35:3:51 | document.location |
+| stored-xss.js:3:35:3:58 | documen ... .search |
+| stored-xss.js:5:20:5:52 | session ... ssion') |
+| stored-xss.js:5:20:5:52 | session ... ssion') |
+| stored-xss.js:8:20:8:48 | localSt ... local') |
+| stored-xss.js:8:20:8:48 | localSt ... local') |
+| string-manipulations.js:3:16:3:32 | document.location |
+| string-manipulations.js:3:16:3:32 | document.location |
+| string-manipulations.js:3:16:3:32 | document.location |
+| string-manipulations.js:4:16:4:32 | document.location |
+| string-manipulations.js:4:16:4:32 | document.location |
+| string-manipulations.js:4:16:4:37 | documen ... on.href |
+| string-manipulations.js:4:16:4:37 | documen ... on.href |
+| string-manipulations.js:5:16:5:32 | document.location |
+| string-manipulations.js:5:16:5:32 | document.location |
+| string-manipulations.js:5:16:5:37 | documen ... on.href |
+| string-manipulations.js:5:16:5:47 | documen ... lueOf() |
+| string-manipulations.js:5:16:5:47 | documen ... lueOf() |
+| string-manipulations.js:6:16:6:32 | document.location |
+| string-manipulations.js:6:16:6:32 | document.location |
+| string-manipulations.js:6:16:6:37 | documen ... on.href |
+| string-manipulations.js:6:16:6:43 | documen ... f.sup() |
+| string-manipulations.js:6:16:6:43 | documen ... f.sup() |
+| string-manipulations.js:7:16:7:32 | document.location |
+| string-manipulations.js:7:16:7:32 | document.location |
+| string-manipulations.js:7:16:7:37 | documen ... on.href |
+| string-manipulations.js:7:16:7:51 | documen ... rCase() |
+| string-manipulations.js:7:16:7:51 | documen ... rCase() |
+| string-manipulations.js:8:16:8:32 | document.location |
+| string-manipulations.js:8:16:8:32 | document.location |
+| string-manipulations.js:8:16:8:37 | documen ... on.href |
+| string-manipulations.js:8:16:8:48 | documen ... mLeft() |
+| string-manipulations.js:8:16:8:48 | documen ... mLeft() |
+| string-manipulations.js:9:16:9:58 | String. ... n.href) |
+| string-manipulations.js:9:16:9:58 | String. ... n.href) |
+| string-manipulations.js:9:36:9:52 | document.location |
+| string-manipulations.js:9:36:9:52 | document.location |
+| string-manipulations.js:9:36:9:57 | documen ... on.href |
+| string-manipulations.js:10:16:10:45 | String( ... n.href) |
+| string-manipulations.js:10:16:10:45 | String( ... n.href) |
+| string-manipulations.js:10:23:10:39 | document.location |
+| string-manipulations.js:10:23:10:39 | document.location |
+| string-manipulations.js:10:23:10:44 | documen ... on.href |
+| translate.js:6:7:6:39 | target |
+| translate.js:6:16:6:32 | document.location |
+| translate.js:6:16:6:32 | document.location |
+| translate.js:6:16:6:39 | documen ... .search |
+| translate.js:7:42:7:47 | target |
+| translate.js:7:42:7:60 | target.substring(1) |
+| translate.js:9:27:9:50 | searchP ... 'term') |
+| translate.js:9:27:9:50 | searchP ... 'term') |
+| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) |
+| tst3.js:2:23:2:74 | decodeU ... str(1)) |
+| tst3.js:2:42:2:56 | window.location |
+| tst3.js:2:42:2:56 | window.location |
+| tst3.js:2:42:2:63 | window. ... .search |
+| tst3.js:2:42:2:73 | window. ... bstr(1) |
+| tst3.js:4:25:4:28 | data |
+| tst3.js:4:25:4:32 | data.src |
+| tst3.js:4:25:4:32 | data.src |
+| tst3.js:5:26:5:29 | data |
+| tst3.js:5:26:5:31 | data.p |
+| tst3.js:5:26:5:31 | data.p |
+| tst3.js:7:32:7:35 | data |
+| tst3.js:7:32:7:37 | data.p |
+| tst3.js:7:32:7:37 | data.p |
+| tst3.js:9:37:9:40 | data |
+| tst3.js:9:37:9:42 | data.p |
+| tst3.js:9:37:9:42 | data.p |
+| tst3.js:10:38:10:41 | data |
+| tst3.js:10:38:10:43 | data.p |
+| tst3.js:10:38:10:43 | data.p |
+| tst.js:2:7:2:39 | target |
+| tst.js:2:16:2:32 | document.location |
+| tst.js:2:16:2:32 | document.location |
+| tst.js:2:16:2:39 | documen ... .search |
+| tst.js:5:18:5:23 | target |
+| tst.js:5:18:5:23 | target |
+| tst.js:8:18:8:126 | "<OPTIO ... PTION>" |
+| tst.js:8:18:8:126 | "<OPTIO ... PTION>" |
+| tst.js:8:37:8:53 | document.location |
+| tst.js:8:37:8:53 | document.location |
+| tst.js:8:37:8:58 | documen ... on.href |
+| tst.js:8:37:8:114 | documen ... t=")+8) |
+| tst.js:12:5:12:42 | '<div s ...  'px">' |
+| tst.js:12:5:12:42 | '<div s ...  'px">' |
+| tst.js:12:28:12:33 | target |
+| tst.js:19:25:19:41 | document.location |
+| tst.js:19:25:19:41 | document.location |
+| tst.js:20:18:20:35 | params.get('name') |
+| tst.js:20:18:20:35 | params.get('name') |
+| tst.js:23:42:23:47 | target |
+| tst.js:23:42:23:60 | target.substring(1) |
+| tst.js:24:18:24:41 | searchP ... 'name') |
+| tst.js:24:18:24:41 | searchP ... 'name') |
+| tst.js:27:14:27:19 | target |
+| tst.js:29:18:29:23 | target |
+| tst.js:29:18:29:23 | target |
+| tst.js:31:5:31:21 | document.location |
+| tst.js:31:5:31:21 | document.location |
+| tst.js:31:5:31:28 | documen ... .search |
+| tst.js:34:10:34:26 | document.location |
+| tst.js:34:10:34:26 | document.location |
+| tst.js:34:10:34:33 | documen ... .search |
+| tst.js:37:16:37:20 | bar() |
+| tst.js:37:16:37:20 | bar() |
+| tst.js:43:16:43:44 | baz(doc ... search) |
+| tst.js:43:16:43:44 | baz(doc ... search) |
+| tst.js:43:20:43:36 | document.location |
+| tst.js:43:20:43:36 | document.location |
+| tst.js:43:20:43:43 | documen ... .search |
+| tst.js:49:16:49:45 | wrap(do ... search) |
+| tst.js:49:16:49:45 | wrap(do ... search) |
+| tst.js:49:21:49:37 | document.location |
+| tst.js:49:21:49:37 | document.location |
+| tst.js:49:21:49:44 | documen ... .search |
+| tst.js:57:16:57:45 | chop(do ... search) |
+| tst.js:57:16:57:45 | chop(do ... search) |
+| tst.js:57:21:57:37 | document.location |
+| tst.js:57:21:57:37 | document.location |
+| tst.js:57:21:57:44 | documen ... .search |
+| tst.js:59:16:59:45 | chop(do ... search) |
+| tst.js:59:16:59:45 | chop(do ... search) |
+| tst.js:59:21:59:37 | document.location |
+| tst.js:59:21:59:37 | document.location |
+| tst.js:59:21:59:44 | documen ... .search |
+| tst.js:61:16:61:32 | wrap(chop(bar())) |
+| tst.js:61:16:61:32 | wrap(chop(bar())) |
+| tst.js:61:21:61:31 | chop(bar()) |
+| tst.js:61:26:61:30 | bar() |
+| tst.js:63:34:63:34 | s |
+| tst.js:65:18:65:18 | s |
+| tst.js:65:18:65:18 | s |
+| tst.js:67:25:67:41 | document.location |
+| tst.js:67:25:67:41 | document.location |
+| tst.js:67:25:67:48 | documen ... .search |
+| tst.js:68:25:68:41 | document.location |
+| tst.js:68:25:68:41 | document.location |
+| tst.js:68:25:68:48 | documen ... .search |
+| tst.js:71:16:71:20 | bar() |
+| tst.js:71:16:71:20 | bar() |
+| tst.js:73:1:73:27 | [,docum ... search] |
+| tst.js:73:3:73:19 | document.location |
+| tst.js:73:3:73:19 | document.location |
+| tst.js:73:3:73:26 | documen ... .search |
+| tst.js:73:46:73:46 | x |
+| tst.js:76:20:76:20 | x |
+| tst.js:76:20:76:20 | x |
+| tst.js:80:49:80:65 | document.location |
+| tst.js:80:49:80:65 | document.location |
+| tst.js:80:49:80:72 | documen ... .search |
+| tst.js:80:49:80:72 | documen ... .search |
+| tst.js:84:26:84:42 | document.location |
+| tst.js:84:26:84:42 | document.location |
+| tst.js:84:26:84:49 | documen ... .search |
+| tst.js:84:26:84:49 | documen ... .search |
+| tst.js:85:25:85:41 | document.location |
+| tst.js:85:25:85:41 | document.location |
+| tst.js:85:25:85:48 | documen ... .search |
+| tst.js:85:25:85:48 | documen ... .search |
+| tst.js:87:33:87:49 | document.location |
+| tst.js:87:33:87:49 | document.location |
+| tst.js:87:33:87:56 | documen ... .search |
+| tst.js:87:33:87:56 | documen ... .search |
+| tst.js:88:32:88:48 | document.location |
+| tst.js:88:32:88:48 | document.location |
+| tst.js:88:32:88:55 | documen ... .search |
+| tst.js:88:32:88:55 | documen ... .search |
+| tst.js:93:39:93:55 | document.location |
+| tst.js:93:39:93:55 | document.location |
+| tst.js:93:39:93:62 | documen ... .search |
+| tst.js:93:39:93:62 | documen ... .search |
+| tst.js:99:30:99:46 | document.location |
+| tst.js:99:30:99:46 | document.location |
+| tst.js:99:30:99:53 | documen ... .search |
+| tst.js:99:30:99:53 | documen ... .search |
+| tst.js:105:25:105:41 | document.location |
+| tst.js:105:25:105:41 | document.location |
+| tst.js:105:25:105:48 | documen ... .search |
+| tst.js:105:25:105:48 | documen ... .search |
+| tst.js:110:7:110:44 | v |
+| tst.js:110:11:110:27 | document.location |
+| tst.js:110:11:110:27 | document.location |
+| tst.js:110:11:110:34 | documen ... .search |
+| tst.js:110:11:110:44 | documen ... bstr(1) |
+| tst.js:113:18:113:18 | v |
+| tst.js:113:18:113:18 | v |
+| tst.js:145:29:145:43 | window.location |
+| tst.js:145:29:145:43 | window.location |
+| tst.js:145:29:145:50 | window. ... .search |
+| tst.js:148:29:148:29 | v |
+| tst.js:148:49:148:49 | v |
+| tst.js:148:49:148:49 | v |
+| tst.js:152:29:152:46 | xssSourceService() |
+| tst.js:152:29:152:46 | xssSourceService() |
+| tst.js:155:40:155:54 | window.location |
+| tst.js:155:40:155:54 | window.location |
+| tst.js:155:40:155:61 | window. ... .search |
+| tst.js:174:9:174:41 | target |
+| tst.js:174:18:174:34 | document.location |
+| tst.js:174:18:174:34 | document.location |
+| tst.js:174:18:174:41 | documen ... .search |
+| tst.js:177:28:177:33 | target |
+| tst.js:177:28:177:33 | target |
+| tst.js:181:9:181:42 | tainted |
+| tst.js:181:19:181:35 | document.location |
+| tst.js:181:19:181:35 | document.location |
+| tst.js:181:19:181:42 | documen ... .search |
+| tst.js:183:31:183:37 | tainted |
+| tst.js:183:31:183:37 | tainted |
+| tst.js:185:42:185:48 | tainted |
+| tst.js:185:42:185:48 | tainted |
+| tst.js:186:33:186:39 | tainted |
+| tst.js:186:33:186:39 | tainted |
+| tst.js:188:54:188:60 | tainted |
+| tst.js:188:54:188:60 | tainted |
+| tst.js:189:45:189:51 | tainted |
+| tst.js:189:45:189:51 | tainted |
+| tst.js:194:9:194:42 | tainted |
+| tst.js:194:19:194:35 | document.location |
+| tst.js:194:19:194:35 | document.location |
+| tst.js:194:19:194:42 | documen ... .search |
+| tst.js:196:67:196:73 | tainted |
+| tst.js:196:67:196:73 | tainted |
+| tst.js:197:67:197:73 | tainted |
+| tst.js:197:67:197:73 | tainted |
+| tst.js:201:35:201:41 | tainted |
+| tst.js:203:46:203:52 | tainted |
+| tst.js:204:38:204:44 | tainted |
+| tst.js:205:35:205:41 | tainted |
+| tst.js:209:28:209:46 | this.state.tainted1 |
+| tst.js:209:28:209:46 | this.state.tainted1 |
+| tst.js:210:28:210:46 | this.state.tainted2 |
+| tst.js:210:28:210:46 | this.state.tainted2 |
+| tst.js:211:28:211:46 | this.state.tainted3 |
+| tst.js:211:28:211:46 | this.state.tainted3 |
+| tst.js:215:32:215:49 | prevState.tainted4 |
+| tst.js:215:32:215:49 | prevState.tainted4 |
+| tst.js:222:28:222:46 | this.props.tainted1 |
+| tst.js:222:28:222:46 | this.props.tainted1 |
+| tst.js:223:28:223:46 | this.props.tainted2 |
+| tst.js:223:28:223:46 | this.props.tainted2 |
+| tst.js:224:28:224:46 | this.props.tainted3 |
+| tst.js:224:28:224:46 | this.props.tainted3 |
+| tst.js:228:32:228:49 | prevProps.tainted4 |
+| tst.js:228:32:228:49 | prevProps.tainted4 |
+| tst.js:233:35:233:41 | tainted |
+| tst.js:235:20:235:26 | tainted |
+| tst.js:237:23:237:29 | tainted |
+| tst.js:238:23:238:29 | tainted |
+| tst.js:244:39:244:55 | props.propTainted |
+| tst.js:248:60:248:82 | this.st ... Tainted |
+| tst.js:248:60:248:82 | this.st ... Tainted |
+| tst.js:252:23:252:29 | tainted |
+| tst.js:256:7:256:17 | window.name |
+| tst.js:256:7:256:17 | window.name |
+| tst.js:256:7:256:17 | window.name |
+| tst.js:257:7:257:10 | name |
+| tst.js:257:7:257:10 | name |
+| tst.js:257:7:257:10 | name |
+| tst.js:261:11:261:21 | window.name |
+| tst.js:261:11:261:21 | window.name |
+| tst.js:261:11:261:21 | window.name |
+| tst.js:277:22:277:29 | location |
+| tst.js:277:22:277:29 | location |
+| tst.js:277:22:277:29 | location |
+| tst.js:282:9:282:29 | tainted |
+| tst.js:282:9:282:29 | tainted |
+| tst.js:282:19:282:29 | window.name |
+| tst.js:282:19:282:29 | window.name |
+| tst.js:285:59:285:65 | tainted |
+| tst.js:285:59:285:65 | tainted |
+| tst.js:285:59:285:65 | tainted |
+| typeahead.js:2:7:4:4 | autocompleter |
+| typeahead.js:2:23:4:4 | new Blo ... rl\\n  }) |
+| typeahead.js:2:23:4:4 | new Blo ... rl\\n  }) |
+| typeahead.js:7:13:7:25 | autocompleter |
+| typeahead.js:7:13:7:37 | autocom ... apter() |
+| typeahead.js:9:28:9:30 | loc |
+| typeahead.js:10:16:10:18 | loc |
+| typeahead.js:10:16:10:18 | loc |
+| typeahead.js:20:13:20:45 | target |
+| typeahead.js:20:22:20:38 | document.location |
+| typeahead.js:20:22:20:38 | document.location |
+| typeahead.js:20:22:20:45 | documen ... .search |
+| typeahead.js:21:12:21:17 | target |
+| typeahead.js:24:30:24:32 | val |
+| typeahead.js:25:18:25:20 | val |
+| typeahead.js:25:18:25:20 | val |
+| v-html.vue:2:8:2:23 | v-html=tainted |
+| v-html.vue:2:8:2:23 | v-html=tainted |
+| v-html.vue:6:42:6:58 | document.location |
+| v-html.vue:6:42:6:58 | document.location |
+| winjs.js:2:7:2:53 | tainted |
+| winjs.js:2:17:2:33 | document.location |
+| winjs.js:2:17:2:33 | document.location |
+| winjs.js:2:17:2:40 | documen ... .search |
+| winjs.js:2:17:2:53 | documen ... ring(1) |
+| winjs.js:3:43:3:49 | tainted |
+| winjs.js:3:43:3:49 | tainted |
+| winjs.js:4:43:4:49 | tainted |
+| winjs.js:4:43:4:49 | tainted |
+edges
+| addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:24 | event |
+| addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:24 | event |
+| addEventListener.js:2:20:2:24 | event | addEventListener.js:2:20:2:29 | event.data |
+| addEventListener.js:2:20:2:24 | event | addEventListener.js:2:20:2:29 | event.data |
+| addEventListener.js:5:43:5:48 | data | addEventListener.js:6:20:6:23 | data |
+| addEventListener.js:5:43:5:48 | data | addEventListener.js:6:20:6:23 | data |
+| addEventListener.js:5:43:5:48 | {data} | addEventListener.js:5:44:5:47 | data |
+| addEventListener.js:5:43:5:48 | {data} | addEventListener.js:5:44:5:47 | data |
+| addEventListener.js:5:44:5:47 | data | addEventListener.js:5:43:5:48 | data |
+| addEventListener.js:10:21:10:25 | event | addEventListener.js:12:24:12:28 | event |
+| addEventListener.js:10:21:10:25 | event | addEventListener.js:12:24:12:28 | event |
+| addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
+| addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
+| jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
+| jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
+| jquery.js:2:7:2:40 | tainted | jquery.js:7:20:7:26 | tainted |
+| jquery.js:2:7:2:40 | tainted | jquery.js:8:28:8:34 | tainted |
+| jquery.js:2:17:2:33 | document.location | jquery.js:2:17:2:40 | documen ... .search |
+| jquery.js:2:17:2:33 | document.location | jquery.js:2:17:2:40 | documen ... .search |
+| jquery.js:2:17:2:40 | documen ... .search | jquery.js:2:7:2:40 | tainted |
+| jquery.js:7:20:7:26 | tainted | jquery.js:7:5:7:34 | "<div i ... + "\\">" |
+| jquery.js:7:20:7:26 | tainted | jquery.js:7:5:7:34 | "<div i ... + "\\">" |
+| jquery.js:8:28:8:34 | tainted | jquery.js:8:18:8:34 | "XSS: " + tainted |
+| jquery.js:8:28:8:34 | tainted | jquery.js:8:18:8:34 | "XSS: " + tainted |
+| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
+| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
+| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
+| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
+| react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted |
+| react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted |
+| react-native.js:7:7:7:33 | tainted | react-native.js:9:27:9:33 | tainted |
+| react-native.js:7:7:7:33 | tainted | react-native.js:9:27:9:33 | tainted |
+| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted |
+| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted |
+| stored-xss.js:2:39:2:55 | document.location | stored-xss.js:2:39:2:62 | documen ... .search |
+| stored-xss.js:2:39:2:55 | document.location | stored-xss.js:2:39:2:62 | documen ... .search |
+| stored-xss.js:2:39:2:62 | documen ... .search | stored-xss.js:5:20:5:52 | session ... ssion') |
+| stored-xss.js:2:39:2:62 | documen ... .search | stored-xss.js:5:20:5:52 | session ... ssion') |
+| stored-xss.js:3:35:3:51 | document.location | stored-xss.js:3:35:3:58 | documen ... .search |
+| stored-xss.js:3:35:3:51 | document.location | stored-xss.js:3:35:3:58 | documen ... .search |
+| stored-xss.js:3:35:3:58 | documen ... .search | stored-xss.js:8:20:8:48 | localSt ... local') |
+| stored-xss.js:3:35:3:58 | documen ... .search | stored-xss.js:8:20:8:48 | localSt ... local') |
+| string-manipulations.js:3:16:3:32 | document.location | string-manipulations.js:3:16:3:32 | document.location |
+| string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href |
+| string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href |
+| string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href |
+| string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href |
+| string-manipulations.js:5:16:5:32 | document.location | string-manipulations.js:5:16:5:37 | documen ... on.href |
+| string-manipulations.js:5:16:5:32 | document.location | string-manipulations.js:5:16:5:37 | documen ... on.href |
+| string-manipulations.js:5:16:5:37 | documen ... on.href | string-manipulations.js:5:16:5:47 | documen ... lueOf() |
+| string-manipulations.js:5:16:5:37 | documen ... on.href | string-manipulations.js:5:16:5:47 | documen ... lueOf() |
+| string-manipulations.js:6:16:6:32 | document.location | string-manipulations.js:6:16:6:37 | documen ... on.href |
+| string-manipulations.js:6:16:6:32 | document.location | string-manipulations.js:6:16:6:37 | documen ... on.href |
+| string-manipulations.js:6:16:6:37 | documen ... on.href | string-manipulations.js:6:16:6:43 | documen ... f.sup() |
+| string-manipulations.js:6:16:6:37 | documen ... on.href | string-manipulations.js:6:16:6:43 | documen ... f.sup() |
+| string-manipulations.js:7:16:7:32 | document.location | string-manipulations.js:7:16:7:37 | documen ... on.href |
+| string-manipulations.js:7:16:7:32 | document.location | string-manipulations.js:7:16:7:37 | documen ... on.href |
+| string-manipulations.js:7:16:7:37 | documen ... on.href | string-manipulations.js:7:16:7:51 | documen ... rCase() |
+| string-manipulations.js:7:16:7:37 | documen ... on.href | string-manipulations.js:7:16:7:51 | documen ... rCase() |
+| string-manipulations.js:8:16:8:32 | document.location | string-manipulations.js:8:16:8:37 | documen ... on.href |
+| string-manipulations.js:8:16:8:32 | document.location | string-manipulations.js:8:16:8:37 | documen ... on.href |
+| string-manipulations.js:8:16:8:37 | documen ... on.href | string-manipulations.js:8:16:8:48 | documen ... mLeft() |
+| string-manipulations.js:8:16:8:37 | documen ... on.href | string-manipulations.js:8:16:8:48 | documen ... mLeft() |
+| string-manipulations.js:9:36:9:52 | document.location | string-manipulations.js:9:36:9:57 | documen ... on.href |
+| string-manipulations.js:9:36:9:52 | document.location | string-manipulations.js:9:36:9:57 | documen ... on.href |
+| string-manipulations.js:9:36:9:57 | documen ... on.href | string-manipulations.js:9:16:9:58 | String. ... n.href) |
+| string-manipulations.js:9:36:9:57 | documen ... on.href | string-manipulations.js:9:16:9:58 | String. ... n.href) |
+| string-manipulations.js:10:23:10:39 | document.location | string-manipulations.js:10:23:10:44 | documen ... on.href |
+| string-manipulations.js:10:23:10:39 | document.location | string-manipulations.js:10:23:10:44 | documen ... on.href |
+| string-manipulations.js:10:23:10:44 | documen ... on.href | string-manipulations.js:10:16:10:45 | String( ... n.href) |
+| string-manipulations.js:10:23:10:44 | documen ... on.href | string-manipulations.js:10:16:10:45 | String( ... n.href) |
+| translate.js:6:7:6:39 | target | translate.js:7:42:7:47 | target |
+| translate.js:6:16:6:32 | document.location | translate.js:6:16:6:39 | documen ... .search |
+| translate.js:6:16:6:32 | document.location | translate.js:6:16:6:39 | documen ... .search |
+| translate.js:6:16:6:39 | documen ... .search | translate.js:6:7:6:39 | target |
+| translate.js:7:42:7:47 | target | translate.js:7:42:7:60 | target.substring(1) |
+| translate.js:7:42:7:60 | target.substring(1) | translate.js:9:27:9:50 | searchP ... 'term') |
+| translate.js:7:42:7:60 | target.substring(1) | translate.js:9:27:9:50 | searchP ... 'term') |
+| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:4:25:4:28 | data |
+| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:5:26:5:29 | data |
+| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:7:32:7:35 | data |
+| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:9:37:9:40 | data |
+| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:10:38:10:41 | data |
+| tst3.js:2:23:2:74 | decodeU ... str(1)) | tst3.js:2:12:2:75 | JSON.pa ... tr(1))) |
+| tst3.js:2:42:2:56 | window.location | tst3.js:2:42:2:63 | window. ... .search |
+| tst3.js:2:42:2:56 | window.location | tst3.js:2:42:2:63 | window. ... .search |
+| tst3.js:2:42:2:63 | window. ... .search | tst3.js:2:42:2:73 | window. ... bstr(1) |
+| tst3.js:2:42:2:73 | window. ... bstr(1) | tst3.js:2:23:2:74 | decodeU ... str(1)) |
+| tst3.js:4:25:4:28 | data | tst3.js:4:25:4:32 | data.src |
+| tst3.js:4:25:4:28 | data | tst3.js:4:25:4:32 | data.src |
+| tst3.js:5:26:5:29 | data | tst3.js:5:26:5:31 | data.p |
+| tst3.js:5:26:5:29 | data | tst3.js:5:26:5:31 | data.p |
+| tst3.js:7:32:7:35 | data | tst3.js:7:32:7:37 | data.p |
+| tst3.js:7:32:7:35 | data | tst3.js:7:32:7:37 | data.p |
+| tst3.js:9:37:9:40 | data | tst3.js:9:37:9:42 | data.p |
+| tst3.js:9:37:9:40 | data | tst3.js:9:37:9:42 | data.p |
+| tst3.js:10:38:10:41 | data | tst3.js:10:38:10:43 | data.p |
+| tst3.js:10:38:10:41 | data | tst3.js:10:38:10:43 | data.p |
+| tst.js:2:7:2:39 | target | tst.js:5:18:5:23 | target |
+| tst.js:2:7:2:39 | target | tst.js:5:18:5:23 | target |
+| tst.js:2:7:2:39 | target | tst.js:12:28:12:33 | target |
+| tst.js:2:7:2:39 | target | tst.js:23:42:23:47 | target |
+| tst.js:2:16:2:32 | document.location | tst.js:2:16:2:39 | documen ... .search |
+| tst.js:2:16:2:32 | document.location | tst.js:2:16:2:39 | documen ... .search |
+| tst.js:2:16:2:39 | documen ... .search | tst.js:2:7:2:39 | target |
+| tst.js:8:37:8:53 | document.location | tst.js:8:37:8:58 | documen ... on.href |
+| tst.js:8:37:8:53 | document.location | tst.js:8:37:8:58 | documen ... on.href |
+| tst.js:8:37:8:58 | documen ... on.href | tst.js:8:37:8:114 | documen ... t=")+8) |
+| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "<OPTIO ... PTION>" |
+| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "<OPTIO ... PTION>" |
+| tst.js:12:28:12:33 | target | tst.js:12:5:12:42 | '<div s ...  'px">' |
+| tst.js:12:28:12:33 | target | tst.js:12:5:12:42 | '<div s ...  'px">' |
+| tst.js:19:25:19:41 | document.location | tst.js:20:18:20:35 | params.get('name') |
+| tst.js:19:25:19:41 | document.location | tst.js:20:18:20:35 | params.get('name') |
+| tst.js:19:25:19:41 | document.location | tst.js:20:18:20:35 | params.get('name') |
+| tst.js:19:25:19:41 | document.location | tst.js:20:18:20:35 | params.get('name') |
+| tst.js:23:42:23:47 | target | tst.js:23:42:23:60 | target.substring(1) |
+| tst.js:23:42:23:60 | target.substring(1) | tst.js:24:18:24:41 | searchP ... 'name') |
+| tst.js:23:42:23:60 | target.substring(1) | tst.js:24:18:24:41 | searchP ... 'name') |
+| tst.js:27:14:27:19 | target | tst.js:29:18:29:23 | target |
+| tst.js:27:14:27:19 | target | tst.js:29:18:29:23 | target |
+| tst.js:31:5:31:21 | document.location | tst.js:31:5:31:28 | documen ... .search |
+| tst.js:31:5:31:21 | document.location | tst.js:31:5:31:28 | documen ... .search |
+| tst.js:31:5:31:28 | documen ... .search | tst.js:27:14:27:19 | target |
+| tst.js:34:10:34:26 | document.location | tst.js:34:10:34:33 | documen ... .search |
+| tst.js:34:10:34:26 | document.location | tst.js:34:10:34:33 | documen ... .search |
+| tst.js:34:10:34:33 | documen ... .search | tst.js:37:16:37:20 | bar() |
+| tst.js:34:10:34:33 | documen ... .search | tst.js:37:16:37:20 | bar() |
+| tst.js:34:10:34:33 | documen ... .search | tst.js:61:26:61:30 | bar() |
+| tst.js:34:10:34:33 | documen ... .search | tst.js:71:16:71:20 | bar() |
+| tst.js:34:10:34:33 | documen ... .search | tst.js:71:16:71:20 | bar() |
+| tst.js:43:20:43:36 | document.location | tst.js:43:20:43:43 | documen ... .search |
+| tst.js:43:20:43:36 | document.location | tst.js:43:20:43:43 | documen ... .search |
+| tst.js:43:20:43:43 | documen ... .search | tst.js:43:16:43:44 | baz(doc ... search) |
+| tst.js:43:20:43:43 | documen ... .search | tst.js:43:16:43:44 | baz(doc ... search) |
+| tst.js:49:21:49:37 | document.location | tst.js:49:21:49:44 | documen ... .search |
+| tst.js:49:21:49:37 | document.location | tst.js:49:21:49:44 | documen ... .search |
+| tst.js:49:21:49:44 | documen ... .search | tst.js:49:16:49:45 | wrap(do ... search) |
+| tst.js:49:21:49:44 | documen ... .search | tst.js:49:16:49:45 | wrap(do ... search) |
+| tst.js:57:21:57:37 | document.location | tst.js:57:21:57:44 | documen ... .search |
+| tst.js:57:21:57:37 | document.location | tst.js:57:21:57:44 | documen ... .search |
+| tst.js:57:21:57:44 | documen ... .search | tst.js:57:16:57:45 | chop(do ... search) |
+| tst.js:57:21:57:44 | documen ... .search | tst.js:57:16:57:45 | chop(do ... search) |
+| tst.js:59:21:59:37 | document.location | tst.js:59:21:59:44 | documen ... .search |
+| tst.js:59:21:59:37 | document.location | tst.js:59:21:59:44 | documen ... .search |
+| tst.js:59:21:59:44 | documen ... .search | tst.js:59:16:59:45 | chop(do ... search) |
+| tst.js:59:21:59:44 | documen ... .search | tst.js:59:16:59:45 | chop(do ... search) |
+| tst.js:61:21:61:31 | chop(bar()) | tst.js:61:16:61:32 | wrap(chop(bar())) |
+| tst.js:61:21:61:31 | chop(bar()) | tst.js:61:16:61:32 | wrap(chop(bar())) |
+| tst.js:61:26:61:30 | bar() | tst.js:61:21:61:31 | chop(bar()) |
+| tst.js:63:34:63:34 | s | tst.js:65:18:65:18 | s |
+| tst.js:63:34:63:34 | s | tst.js:65:18:65:18 | s |
+| tst.js:67:25:67:41 | document.location | tst.js:67:25:67:48 | documen ... .search |
+| tst.js:67:25:67:41 | document.location | tst.js:67:25:67:48 | documen ... .search |
+| tst.js:67:25:67:48 | documen ... .search | tst.js:63:34:63:34 | s |
+| tst.js:68:25:68:41 | document.location | tst.js:68:25:68:48 | documen ... .search |
+| tst.js:68:25:68:41 | document.location | tst.js:68:25:68:48 | documen ... .search |
+| tst.js:68:25:68:48 | documen ... .search | tst.js:63:34:63:34 | s |
+| tst.js:73:1:73:27 | [,docum ... search] | tst.js:73:46:73:46 | x |
+| tst.js:73:3:73:19 | document.location | tst.js:73:3:73:26 | documen ... .search |
+| tst.js:73:3:73:19 | document.location | tst.js:73:3:73:26 | documen ... .search |
+| tst.js:73:3:73:26 | documen ... .search | tst.js:73:1:73:27 | [,docum ... search] |
+| tst.js:73:46:73:46 | x | tst.js:76:20:76:20 | x |
+| tst.js:73:46:73:46 | x | tst.js:76:20:76:20 | x |
+| tst.js:80:49:80:65 | document.location | tst.js:80:49:80:72 | documen ... .search |
+| tst.js:80:49:80:65 | document.location | tst.js:80:49:80:72 | documen ... .search |
+| tst.js:80:49:80:65 | document.location | tst.js:80:49:80:72 | documen ... .search |
+| tst.js:80:49:80:65 | document.location | tst.js:80:49:80:72 | documen ... .search |
+| tst.js:84:26:84:42 | document.location | tst.js:84:26:84:49 | documen ... .search |
+| tst.js:84:26:84:42 | document.location | tst.js:84:26:84:49 | documen ... .search |
+| tst.js:84:26:84:42 | document.location | tst.js:84:26:84:49 | documen ... .search |
+| tst.js:84:26:84:42 | document.location | tst.js:84:26:84:49 | documen ... .search |
+| tst.js:85:25:85:41 | document.location | tst.js:85:25:85:48 | documen ... .search |
+| tst.js:85:25:85:41 | document.location | tst.js:85:25:85:48 | documen ... .search |
+| tst.js:85:25:85:41 | document.location | tst.js:85:25:85:48 | documen ... .search |
+| tst.js:85:25:85:41 | document.location | tst.js:85:25:85:48 | documen ... .search |
+| tst.js:87:33:87:49 | document.location | tst.js:87:33:87:56 | documen ... .search |
+| tst.js:87:33:87:49 | document.location | tst.js:87:33:87:56 | documen ... .search |
+| tst.js:87:33:87:49 | document.location | tst.js:87:33:87:56 | documen ... .search |
+| tst.js:87:33:87:49 | document.location | tst.js:87:33:87:56 | documen ... .search |
+| tst.js:88:32:88:48 | document.location | tst.js:88:32:88:55 | documen ... .search |
+| tst.js:88:32:88:48 | document.location | tst.js:88:32:88:55 | documen ... .search |
+| tst.js:88:32:88:48 | document.location | tst.js:88:32:88:55 | documen ... .search |
+| tst.js:88:32:88:48 | document.location | tst.js:88:32:88:55 | documen ... .search |
+| tst.js:93:39:93:55 | document.location | tst.js:93:39:93:62 | documen ... .search |
+| tst.js:93:39:93:55 | document.location | tst.js:93:39:93:62 | documen ... .search |
+| tst.js:93:39:93:55 | document.location | tst.js:93:39:93:62 | documen ... .search |
+| tst.js:93:39:93:55 | document.location | tst.js:93:39:93:62 | documen ... .search |
+| tst.js:99:30:99:46 | document.location | tst.js:99:30:99:53 | documen ... .search |
+| tst.js:99:30:99:46 | document.location | tst.js:99:30:99:53 | documen ... .search |
+| tst.js:99:30:99:46 | document.location | tst.js:99:30:99:53 | documen ... .search |
+| tst.js:99:30:99:46 | document.location | tst.js:99:30:99:53 | documen ... .search |
+| tst.js:105:25:105:41 | document.location | tst.js:105:25:105:48 | documen ... .search |
+| tst.js:105:25:105:41 | document.location | tst.js:105:25:105:48 | documen ... .search |
+| tst.js:105:25:105:41 | document.location | tst.js:105:25:105:48 | documen ... .search |
+| tst.js:105:25:105:41 | document.location | tst.js:105:25:105:48 | documen ... .search |
+| tst.js:110:7:110:44 | v | tst.js:113:18:113:18 | v |
+| tst.js:110:7:110:44 | v | tst.js:113:18:113:18 | v |
+| tst.js:110:11:110:27 | document.location | tst.js:110:11:110:34 | documen ... .search |
+| tst.js:110:11:110:27 | document.location | tst.js:110:11:110:34 | documen ... .search |
+| tst.js:110:11:110:34 | documen ... .search | tst.js:110:11:110:44 | documen ... bstr(1) |
+| tst.js:110:11:110:44 | documen ... bstr(1) | tst.js:110:7:110:44 | v |
+| tst.js:145:29:145:43 | window.location | tst.js:145:29:145:50 | window. ... .search |
+| tst.js:145:29:145:43 | window.location | tst.js:145:29:145:50 | window. ... .search |
+| tst.js:145:29:145:50 | window. ... .search | tst.js:148:29:148:29 | v |
+| tst.js:148:29:148:29 | v | tst.js:148:49:148:49 | v |
+| tst.js:148:29:148:29 | v | tst.js:148:49:148:49 | v |
+| tst.js:155:40:155:54 | window.location | tst.js:155:40:155:61 | window. ... .search |
+| tst.js:155:40:155:54 | window.location | tst.js:155:40:155:61 | window. ... .search |
+| tst.js:155:40:155:61 | window. ... .search | tst.js:152:29:152:46 | xssSourceService() |
+| tst.js:155:40:155:61 | window. ... .search | tst.js:152:29:152:46 | xssSourceService() |
+| tst.js:174:9:174:41 | target | tst.js:177:28:177:33 | target |
+| tst.js:174:9:174:41 | target | tst.js:177:28:177:33 | target |
+| tst.js:174:18:174:34 | document.location | tst.js:174:18:174:41 | documen ... .search |
+| tst.js:174:18:174:34 | document.location | tst.js:174:18:174:41 | documen ... .search |
+| tst.js:174:18:174:41 | documen ... .search | tst.js:174:9:174:41 | target |
+| tst.js:181:9:181:42 | tainted | tst.js:183:31:183:37 | tainted |
+| tst.js:181:9:181:42 | tainted | tst.js:183:31:183:37 | tainted |
+| tst.js:181:9:181:42 | tainted | tst.js:185:42:185:48 | tainted |
+| tst.js:181:9:181:42 | tainted | tst.js:185:42:185:48 | tainted |
+| tst.js:181:9:181:42 | tainted | tst.js:186:33:186:39 | tainted |
+| tst.js:181:9:181:42 | tainted | tst.js:186:33:186:39 | tainted |
+| tst.js:181:9:181:42 | tainted | tst.js:188:54:188:60 | tainted |
+| tst.js:181:9:181:42 | tainted | tst.js:188:54:188:60 | tainted |
+| tst.js:181:9:181:42 | tainted | tst.js:189:45:189:51 | tainted |
+| tst.js:181:9:181:42 | tainted | tst.js:189:45:189:51 | tainted |
+| tst.js:181:19:181:35 | document.location | tst.js:181:19:181:42 | documen ... .search |
+| tst.js:181:19:181:35 | document.location | tst.js:181:19:181:42 | documen ... .search |
+| tst.js:181:19:181:42 | documen ... .search | tst.js:181:9:181:42 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:196:67:196:73 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:196:67:196:73 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:197:67:197:73 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:197:67:197:73 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:201:35:201:41 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:203:46:203:52 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:204:38:204:44 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:205:35:205:41 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:233:35:233:41 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:235:20:235:26 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:237:23:237:29 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:238:23:238:29 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:252:23:252:29 | tainted |
+| tst.js:194:19:194:35 | document.location | tst.js:194:19:194:42 | documen ... .search |
+| tst.js:194:19:194:35 | document.location | tst.js:194:19:194:42 | documen ... .search |
+| tst.js:194:19:194:42 | documen ... .search | tst.js:194:9:194:42 | tainted |
+| tst.js:201:35:201:41 | tainted | tst.js:209:28:209:46 | this.state.tainted1 |
+| tst.js:201:35:201:41 | tainted | tst.js:209:28:209:46 | this.state.tainted1 |
+| tst.js:203:46:203:52 | tainted | tst.js:210:28:210:46 | this.state.tainted2 |
+| tst.js:203:46:203:52 | tainted | tst.js:210:28:210:46 | this.state.tainted2 |
+| tst.js:204:38:204:44 | tainted | tst.js:211:28:211:46 | this.state.tainted3 |
+| tst.js:204:38:204:44 | tainted | tst.js:211:28:211:46 | this.state.tainted3 |
+| tst.js:205:35:205:41 | tainted | tst.js:215:32:215:49 | prevState.tainted4 |
+| tst.js:205:35:205:41 | tainted | tst.js:215:32:215:49 | prevState.tainted4 |
+| tst.js:233:35:233:41 | tainted | tst.js:222:28:222:46 | this.props.tainted1 |
+| tst.js:233:35:233:41 | tainted | tst.js:222:28:222:46 | this.props.tainted1 |
+| tst.js:235:20:235:26 | tainted | tst.js:223:28:223:46 | this.props.tainted2 |
+| tst.js:235:20:235:26 | tainted | tst.js:223:28:223:46 | this.props.tainted2 |
+| tst.js:237:23:237:29 | tainted | tst.js:224:28:224:46 | this.props.tainted3 |
+| tst.js:237:23:237:29 | tainted | tst.js:224:28:224:46 | this.props.tainted3 |
+| tst.js:238:23:238:29 | tainted | tst.js:228:32:228:49 | prevProps.tainted4 |
+| tst.js:238:23:238:29 | tainted | tst.js:228:32:228:49 | prevProps.tainted4 |
+| tst.js:244:39:244:55 | props.propTainted | tst.js:248:60:248:82 | this.st ... Tainted |
+| tst.js:244:39:244:55 | props.propTainted | tst.js:248:60:248:82 | this.st ... Tainted |
+| tst.js:252:23:252:29 | tainted | tst.js:244:39:244:55 | props.propTainted |
+| tst.js:256:7:256:17 | window.name | tst.js:256:7:256:17 | window.name |
+| tst.js:257:7:257:10 | name | tst.js:257:7:257:10 | name |
+| tst.js:261:11:261:21 | window.name | tst.js:261:11:261:21 | window.name |
+| tst.js:277:22:277:29 | location | tst.js:277:22:277:29 | location |
+| tst.js:282:9:282:29 | tainted | tst.js:285:59:285:65 | tainted |
+| tst.js:282:9:282:29 | tainted | tst.js:285:59:285:65 | tainted |
+| tst.js:282:9:282:29 | tainted | tst.js:285:59:285:65 | tainted |
+| tst.js:282:9:282:29 | tainted | tst.js:285:59:285:65 | tainted |
+| tst.js:282:19:282:29 | window.name | tst.js:282:9:282:29 | tainted |
+| tst.js:282:19:282:29 | window.name | tst.js:282:9:282:29 | tainted |
+| tst.js:285:59:285:65 | tainted | tst.js:285:59:285:65 | tainted |
+| typeahead.js:2:7:4:4 | autocompleter | typeahead.js:7:13:7:25 | autocompleter |
+| typeahead.js:2:23:4:4 | new Blo ... rl\\n  }) | typeahead.js:2:7:4:4 | autocompleter |
+| typeahead.js:2:23:4:4 | new Blo ... rl\\n  }) | typeahead.js:2:7:4:4 | autocompleter |
+| typeahead.js:7:13:7:25 | autocompleter | typeahead.js:7:13:7:37 | autocom ... apter() |
+| typeahead.js:7:13:7:37 | autocom ... apter() | typeahead.js:9:28:9:30 | loc |
+| typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
+| typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
+| typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target |
+| typeahead.js:20:22:20:38 | document.location | typeahead.js:20:22:20:45 | documen ... .search |
+| typeahead.js:20:22:20:38 | document.location | typeahead.js:20:22:20:45 | documen ... .search |
+| typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target |
+| typeahead.js:21:12:21:17 | target | typeahead.js:24:30:24:32 | val |
+| typeahead.js:24:30:24:32 | val | typeahead.js:25:18:25:20 | val |
+| typeahead.js:24:30:24:32 | val | typeahead.js:25:18:25:20 | val |
+| v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
+| v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
+| v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
+| v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
+| winjs.js:2:7:2:53 | tainted | winjs.js:3:43:3:49 | tainted |
+| winjs.js:2:7:2:53 | tainted | winjs.js:3:43:3:49 | tainted |
+| winjs.js:2:7:2:53 | tainted | winjs.js:4:43:4:49 | tainted |
+| winjs.js:2:7:2:53 | tainted | winjs.js:4:43:4:49 | tainted |
+| winjs.js:2:17:2:33 | document.location | winjs.js:2:17:2:40 | documen ... .search |
+| winjs.js:2:17:2:33 | document.location | winjs.js:2:17:2:40 | documen ... .search |
+| winjs.js:2:17:2:40 | documen ... .search | winjs.js:2:17:2:53 | documen ... ring(1) |
+| winjs.js:2:17:2:53 | documen ... ring(1) | winjs.js:2:7:2:53 | tainted |
+#select
+| addEventListener.js:2:20:2:29 | event.data | addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:29 | event.data | Cross-site scripting vulnerability due to $@. | addEventListener.js:1:43:1:47 | event | user-provided value |
+| addEventListener.js:6:20:6:23 | data | addEventListener.js:5:43:5:48 | {data} | addEventListener.js:6:20:6:23 | data | Cross-site scripting vulnerability due to $@. | addEventListener.js:5:43:5:48 | {data} | user-provided value |
+| addEventListener.js:12:24:12:33 | event.data | addEventListener.js:10:21:10:25 | event | addEventListener.js:12:24:12:33 | event.data | Cross-site scripting vulnerability due to $@. | addEventListener.js:10:21:10:25 | event | user-provided value |
+| jquery.js:4:5:4:11 | tainted | jquery.js:2:17:2:33 | document.location | jquery.js:4:5:4:11 | tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
+| jquery.js:7:5:7:34 | "<div i ... + "\\">" | jquery.js:2:17:2:33 | document.location | jquery.js:7:5:7:34 | "<div i ... + "\\">" | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
+| jquery.js:8:18:8:34 | "XSS: " + tainted | jquery.js:2:17:2:33 | document.location | jquery.js:8:18:8:34 | "XSS: " + tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
+| nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | HTML injection vulnerability due to $@. | nodemailer.js:13:50:13:66 | req.query.message | user-provided value |
+| react-native.js:8:18:8:24 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:18:8:24 | tainted | Cross-site scripting vulnerability due to $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
+| react-native.js:9:27:9:33 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:9:27:9:33 | tainted | Cross-site scripting vulnerability due to $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
+| stored-xss.js:5:20:5:52 | session ... ssion') | stored-xss.js:2:39:2:55 | document.location | stored-xss.js:5:20:5:52 | session ... ssion') | Cross-site scripting vulnerability due to $@. | stored-xss.js:2:39:2:55 | document.location | user-provided value |
+| stored-xss.js:8:20:8:48 | localSt ... local') | stored-xss.js:3:35:3:51 | document.location | stored-xss.js:8:20:8:48 | localSt ... local') | Cross-site scripting vulnerability due to $@. | stored-xss.js:3:35:3:51 | document.location | user-provided value |
+| string-manipulations.js:3:16:3:32 | document.location | string-manipulations.js:3:16:3:32 | document.location | string-manipulations.js:3:16:3:32 | document.location | Cross-site scripting vulnerability due to $@. | string-manipulations.js:3:16:3:32 | document.location | user-provided value |
+| string-manipulations.js:4:16:4:37 | documen ... on.href | string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href | Cross-site scripting vulnerability due to $@. | string-manipulations.js:4:16:4:32 | document.location | user-provided value |
+| string-manipulations.js:5:16:5:47 | documen ... lueOf() | string-manipulations.js:5:16:5:32 | document.location | string-manipulations.js:5:16:5:47 | documen ... lueOf() | Cross-site scripting vulnerability due to $@. | string-manipulations.js:5:16:5:32 | document.location | user-provided value |
+| string-manipulations.js:6:16:6:43 | documen ... f.sup() | string-manipulations.js:6:16:6:32 | document.location | string-manipulations.js:6:16:6:43 | documen ... f.sup() | Cross-site scripting vulnerability due to $@. | string-manipulations.js:6:16:6:32 | document.location | user-provided value |
+| string-manipulations.js:7:16:7:51 | documen ... rCase() | string-manipulations.js:7:16:7:32 | document.location | string-manipulations.js:7:16:7:51 | documen ... rCase() | Cross-site scripting vulnerability due to $@. | string-manipulations.js:7:16:7:32 | document.location | user-provided value |
+| string-manipulations.js:8:16:8:48 | documen ... mLeft() | string-manipulations.js:8:16:8:32 | document.location | string-manipulations.js:8:16:8:48 | documen ... mLeft() | Cross-site scripting vulnerability due to $@. | string-manipulations.js:8:16:8:32 | document.location | user-provided value |
+| string-manipulations.js:9:16:9:58 | String. ... n.href) | string-manipulations.js:9:36:9:52 | document.location | string-manipulations.js:9:16:9:58 | String. ... n.href) | Cross-site scripting vulnerability due to $@. | string-manipulations.js:9:36:9:52 | document.location | user-provided value |
+| string-manipulations.js:10:16:10:45 | String( ... n.href) | string-manipulations.js:10:23:10:39 | document.location | string-manipulations.js:10:16:10:45 | String( ... n.href) | Cross-site scripting vulnerability due to $@. | string-manipulations.js:10:23:10:39 | document.location | user-provided value |
+| translate.js:9:27:9:50 | searchP ... 'term') | translate.js:6:16:6:32 | document.location | translate.js:9:27:9:50 | searchP ... 'term') | Cross-site scripting vulnerability due to $@. | translate.js:6:16:6:32 | document.location | user-provided value |
+| tst3.js:4:25:4:32 | data.src | tst3.js:2:42:2:56 | window.location | tst3.js:4:25:4:32 | data.src | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:56 | window.location | user-provided value |
+| tst3.js:5:26:5:31 | data.p | tst3.js:2:42:2:56 | window.location | tst3.js:5:26:5:31 | data.p | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:56 | window.location | user-provided value |
+| tst3.js:7:32:7:37 | data.p | tst3.js:2:42:2:56 | window.location | tst3.js:7:32:7:37 | data.p | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:56 | window.location | user-provided value |
+| tst3.js:9:37:9:42 | data.p | tst3.js:2:42:2:56 | window.location | tst3.js:9:37:9:42 | data.p | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:56 | window.location | user-provided value |
+| tst3.js:10:38:10:43 | data.p | tst3.js:2:42:2:56 | window.location | tst3.js:10:38:10:43 | data.p | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:56 | window.location | user-provided value |
+| tst.js:5:18:5:23 | target | tst.js:2:16:2:32 | document.location | tst.js:5:18:5:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:32 | document.location | user-provided value |
+| tst.js:8:18:8:126 | "<OPTIO ... PTION>" | tst.js:8:37:8:53 | document.location | tst.js:8:18:8:126 | "<OPTIO ... PTION>" | Cross-site scripting vulnerability due to $@. | tst.js:8:37:8:53 | document.location | user-provided value |
+| tst.js:12:5:12:42 | '<div s ...  'px">' | tst.js:2:16:2:32 | document.location | tst.js:12:5:12:42 | '<div s ...  'px">' | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:32 | document.location | user-provided value |
+| tst.js:20:18:20:35 | params.get('name') | tst.js:19:25:19:41 | document.location | tst.js:20:18:20:35 | params.get('name') | Cross-site scripting vulnerability due to $@. | tst.js:19:25:19:41 | document.location | user-provided value |
+| tst.js:24:18:24:41 | searchP ... 'name') | tst.js:2:16:2:32 | document.location | tst.js:24:18:24:41 | searchP ... 'name') | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:32 | document.location | user-provided value |
+| tst.js:29:18:29:23 | target | tst.js:31:5:31:21 | document.location | tst.js:29:18:29:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:31:5:31:21 | document.location | user-provided value |
+| tst.js:37:16:37:20 | bar() | tst.js:34:10:34:26 | document.location | tst.js:37:16:37:20 | bar() | Cross-site scripting vulnerability due to $@. | tst.js:34:10:34:26 | document.location | user-provided value |
+| tst.js:43:16:43:44 | baz(doc ... search) | tst.js:43:20:43:36 | document.location | tst.js:43:16:43:44 | baz(doc ... search) | Cross-site scripting vulnerability due to $@. | tst.js:43:20:43:36 | document.location | user-provided value |
+| tst.js:49:16:49:45 | wrap(do ... search) | tst.js:49:21:49:37 | document.location | tst.js:49:16:49:45 | wrap(do ... search) | Cross-site scripting vulnerability due to $@. | tst.js:49:21:49:37 | document.location | user-provided value |
+| tst.js:57:16:57:45 | chop(do ... search) | tst.js:57:21:57:37 | document.location | tst.js:57:16:57:45 | chop(do ... search) | Cross-site scripting vulnerability due to $@. | tst.js:57:21:57:37 | document.location | user-provided value |
+| tst.js:59:16:59:45 | chop(do ... search) | tst.js:59:21:59:37 | document.location | tst.js:59:16:59:45 | chop(do ... search) | Cross-site scripting vulnerability due to $@. | tst.js:59:21:59:37 | document.location | user-provided value |
+| tst.js:61:16:61:32 | wrap(chop(bar())) | tst.js:34:10:34:26 | document.location | tst.js:61:16:61:32 | wrap(chop(bar())) | Cross-site scripting vulnerability due to $@. | tst.js:34:10:34:26 | document.location | user-provided value |
+| tst.js:65:18:65:18 | s | tst.js:67:25:67:41 | document.location | tst.js:65:18:65:18 | s | Cross-site scripting vulnerability due to $@. | tst.js:67:25:67:41 | document.location | user-provided value |
+| tst.js:65:18:65:18 | s | tst.js:68:25:68:41 | document.location | tst.js:65:18:65:18 | s | Cross-site scripting vulnerability due to $@. | tst.js:68:25:68:41 | document.location | user-provided value |
+| tst.js:71:16:71:20 | bar() | tst.js:34:10:34:26 | document.location | tst.js:71:16:71:20 | bar() | Cross-site scripting vulnerability due to $@. | tst.js:34:10:34:26 | document.location | user-provided value |
+| tst.js:76:20:76:20 | x | tst.js:73:3:73:19 | document.location | tst.js:76:20:76:20 | x | Cross-site scripting vulnerability due to $@. | tst.js:73:3:73:19 | document.location | user-provided value |
+| tst.js:80:49:80:72 | documen ... .search | tst.js:80:49:80:65 | document.location | tst.js:80:49:80:72 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:80:49:80:65 | document.location | user-provided value |
+| tst.js:84:26:84:49 | documen ... .search | tst.js:84:26:84:42 | document.location | tst.js:84:26:84:49 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:84:26:84:42 | document.location | user-provided value |
+| tst.js:85:25:85:48 | documen ... .search | tst.js:85:25:85:41 | document.location | tst.js:85:25:85:48 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:85:25:85:41 | document.location | user-provided value |
+| tst.js:87:33:87:56 | documen ... .search | tst.js:87:33:87:49 | document.location | tst.js:87:33:87:56 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:87:33:87:49 | document.location | user-provided value |
+| tst.js:88:32:88:55 | documen ... .search | tst.js:88:32:88:48 | document.location | tst.js:88:32:88:55 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:88:32:88:48 | document.location | user-provided value |
+| tst.js:93:39:93:62 | documen ... .search | tst.js:93:39:93:55 | document.location | tst.js:93:39:93:62 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:93:39:93:55 | document.location | user-provided value |
+| tst.js:99:30:99:53 | documen ... .search | tst.js:99:30:99:46 | document.location | tst.js:99:30:99:53 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:99:30:99:46 | document.location | user-provided value |
+| tst.js:105:25:105:48 | documen ... .search | tst.js:105:25:105:41 | document.location | tst.js:105:25:105:48 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:105:25:105:41 | document.location | user-provided value |
+| tst.js:113:18:113:18 | v | tst.js:110:11:110:27 | document.location | tst.js:113:18:113:18 | v | Cross-site scripting vulnerability due to $@. | tst.js:110:11:110:27 | document.location | user-provided value |
+| tst.js:148:49:148:49 | v | tst.js:145:29:145:43 | window.location | tst.js:148:49:148:49 | v | Cross-site scripting vulnerability due to $@. | tst.js:145:29:145:43 | window.location | user-provided value |
+| tst.js:152:29:152:46 | xssSourceService() | tst.js:155:40:155:54 | window.location | tst.js:152:29:152:46 | xssSourceService() | Cross-site scripting vulnerability due to $@. | tst.js:155:40:155:54 | window.location | user-provided value |
+| tst.js:177:28:177:33 | target | tst.js:174:18:174:34 | document.location | tst.js:177:28:177:33 | target | Cross-site scripting vulnerability due to $@. | tst.js:174:18:174:34 | document.location | user-provided value |
+| tst.js:183:31:183:37 | tainted | tst.js:181:19:181:35 | document.location | tst.js:183:31:183:37 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:35 | document.location | user-provided value |
+| tst.js:185:42:185:48 | tainted | tst.js:181:19:181:35 | document.location | tst.js:185:42:185:48 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:35 | document.location | user-provided value |
+| tst.js:186:33:186:39 | tainted | tst.js:181:19:181:35 | document.location | tst.js:186:33:186:39 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:35 | document.location | user-provided value |
+| tst.js:188:54:188:60 | tainted | tst.js:181:19:181:35 | document.location | tst.js:188:54:188:60 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:35 | document.location | user-provided value |
+| tst.js:189:45:189:51 | tainted | tst.js:181:19:181:35 | document.location | tst.js:189:45:189:51 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:35 | document.location | user-provided value |
+| tst.js:196:67:196:73 | tainted | tst.js:194:19:194:35 | document.location | tst.js:196:67:196:73 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:194:19:194:35 | document.location | user-provided value |
+| tst.js:197:67:197:73 | tainted | tst.js:194:19:194:35 | document.location | tst.js:197:67:197:73 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:194:19:194:35 | document.location | user-provided value |
+| tst.js:209:28:209:46 | this.state.tainted1 | tst.js:194:19:194:35 | document.location | tst.js:209:28:209:46 | this.state.tainted1 | Cross-site scripting vulnerability due to $@. | tst.js:194:19:194:35 | document.location | user-provided value |
+| tst.js:210:28:210:46 | this.state.tainted2 | tst.js:194:19:194:35 | document.location | tst.js:210:28:210:46 | this.state.tainted2 | Cross-site scripting vulnerability due to $@. | tst.js:194:19:194:35 | document.location | user-provided value |
+| tst.js:211:28:211:46 | this.state.tainted3 | tst.js:194:19:194:35 | document.location | tst.js:211:28:211:46 | this.state.tainted3 | Cross-site scripting vulnerability due to $@. | tst.js:194:19:194:35 | document.location | user-provided value |
+| tst.js:215:32:215:49 | prevState.tainted4 | tst.js:194:19:194:35 | document.location | tst.js:215:32:215:49 | prevState.tainted4 | Cross-site scripting vulnerability due to $@. | tst.js:194:19:194:35 | document.location | user-provided value |
+| tst.js:222:28:222:46 | this.props.tainted1 | tst.js:194:19:194:35 | document.location | tst.js:222:28:222:46 | this.props.tainted1 | Cross-site scripting vulnerability due to $@. | tst.js:194:19:194:35 | document.location | user-provided value |
+| tst.js:223:28:223:46 | this.props.tainted2 | tst.js:194:19:194:35 | document.location | tst.js:223:28:223:46 | this.props.tainted2 | Cross-site scripting vulnerability due to $@. | tst.js:194:19:194:35 | document.location | user-provided value |
+| tst.js:224:28:224:46 | this.props.tainted3 | tst.js:194:19:194:35 | document.location | tst.js:224:28:224:46 | this.props.tainted3 | Cross-site scripting vulnerability due to $@. | tst.js:194:19:194:35 | document.location | user-provided value |
+| tst.js:228:32:228:49 | prevProps.tainted4 | tst.js:194:19:194:35 | document.location | tst.js:228:32:228:49 | prevProps.tainted4 | Cross-site scripting vulnerability due to $@. | tst.js:194:19:194:35 | document.location | user-provided value |
+| tst.js:248:60:248:82 | this.st ... Tainted | tst.js:194:19:194:35 | document.location | tst.js:248:60:248:82 | this.st ... Tainted | Cross-site scripting vulnerability due to $@. | tst.js:194:19:194:35 | document.location | user-provided value |
+| tst.js:256:7:256:17 | window.name | tst.js:256:7:256:17 | window.name | tst.js:256:7:256:17 | window.name | Cross-site scripting vulnerability due to $@. | tst.js:256:7:256:17 | window.name | user-provided value |
+| tst.js:257:7:257:10 | name | tst.js:257:7:257:10 | name | tst.js:257:7:257:10 | name | Cross-site scripting vulnerability due to $@. | tst.js:257:7:257:10 | name | user-provided value |
+| tst.js:261:11:261:21 | window.name | tst.js:261:11:261:21 | window.name | tst.js:261:11:261:21 | window.name | Cross-site scripting vulnerability due to $@. | tst.js:261:11:261:21 | window.name | user-provided value |
+| tst.js:277:22:277:29 | location | tst.js:277:22:277:29 | location | tst.js:277:22:277:29 | location | Cross-site scripting vulnerability due to $@. | tst.js:277:22:277:29 | location | user-provided value |
+| tst.js:285:59:285:65 | tainted | tst.js:282:9:282:29 | tainted | tst.js:285:59:285:65 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:282:9:282:29 | tainted | user-provided value |
+| tst.js:285:59:285:65 | tainted | tst.js:282:19:282:29 | window.name | tst.js:285:59:285:65 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:282:19:282:29 | window.name | user-provided value |
+| tst.js:285:59:285:65 | tainted | tst.js:285:59:285:65 | tainted | tst.js:285:59:285:65 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:285:59:285:65 | tainted | user-provided value |
+| typeahead.js:10:16:10:18 | loc | typeahead.js:2:23:4:4 | new Blo ... rl\\n  }) | typeahead.js:10:16:10:18 | loc | Cross-site scripting vulnerability due to $@. | typeahead.js:2:23:4:4 | new Blo ... rl\\n  }) | user-provided value |
+| typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:38 | document.location | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:38 | document.location | user-provided value |
+| v-html.vue:2:8:2:23 | v-html=tainted | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | Cross-site scripting vulnerability due to $@. | v-html.vue:6:42:6:58 | document.location | user-provided value |
+| winjs.js:3:43:3:49 | tainted | winjs.js:2:17:2:33 | document.location | winjs.js:3:43:3:49 | tainted | Cross-site scripting vulnerability due to $@. | winjs.js:2:17:2:33 | document.location | user-provided value |
+| winjs.js:4:43:4:49 | tainted | winjs.js:2:17:2:33 | document.location | winjs.js:4:43:4:49 | tainted | Cross-site scripting vulnerability due to $@. | winjs.js:2:17:2:33 | document.location | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssWithAdditionalSources.ql
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssWithAdditionalSources.ql
@@ -0,0 +1,24 @@
+/**
+ * @name Client-side cross-site scripting
+ * @description Writing user input directly to the DOM allows for
+ *              a cross-site scripting vulnerability.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id js/xss
+ * @tags security
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.DomBasedXss::DomBasedXss
+import DataFlow::PathGraph
+import semmle.javascript.heuristics.AdditionalSources
+
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  sink.getNode().(Sink).getVulnerabilityKind() + " vulnerability due to $@.", source.getNode(),
+  "user-provided value"
--- a/javascript/ql/test/query-tests/Security/CWE-079/typeahead.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/typeahead.js
@@ -0,0 +1,30 @@
+(function () {
+  var autocompleter = new Bloodhound({
+    prefetch: remoteUrl
+  })
+  autocompleter.initialize();
+  $('.typeahead').typeahead({}, {
+    source: autocompleter.ttAdapter(),
+    templates: {
+      suggestion: function(loc) {
+        return loc; // NOT OK!
+      }
+    }
+  })
+
+
+  $('.typeahead').typeahead({},
+    {
+      name: 'dashboards',
+      source: function (query, cb) {
+        var target = document.location.search
+        cb(target);
+      },
+      templates: {
+        suggestion: function(val) {
+          return val; // NOT OK 
+        }
+      }
+    }
+  )	
+})