Merge pull request #6549 from erik-krogh/moreDom

Approved by asgerf
2026-05-03 12:45:27 +02:00 · 2021-09-08 05:10:47 -07:00
parent 5d37748973 81742528a2
commit cd26d97dd7
4 changed files with 25 additions and 3 deletions
--- a/javascript/ql/lib/semmle/javascript/dataflow/DataFlow.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/DataFlow.qll
@@ -1591,7 +1591,7 @@ module DataFlow {
   */
  predicate localFieldStep(DataFlow::Node pred, DataFlow::Node succ) {
    exists(ClassNode cls, string prop |
-      pred = cls.getAReceiverNode().getAPropertyWrite(prop).getRhs() or
+      pred = cls.getADirectSuperClass*().getAReceiverNode().getAPropertyWrite(prop).getRhs() or
      pred = cls.getInstanceMethod(prop)
    |
      succ = cls.getAReceiverNode().getAPropertyRead(prop)
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
@@ -30,7 +30,7 @@ module XssThroughDom {
  /**
   * Gets a DOM property name that could store user-controlled data.
   */
-  string unsafeDomPropertyName() { result = ["innerText", "textContent", "value", "name"] }
+  string unsafeDomPropertyName() { result = ["innerText", "textContent", "value", "name", "src"] }

  /**
   * A source for text from the DOM from a JQuery method call.