hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 11:46:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

JS: Port XssThroughDom

Browse Source
This commit is contained in:
Asger F
2023-10-04 21:32:04 +02:00
parent 5f05232e02
commit cf5450dbd5
5 changed files with 160 additions and 247 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
View File

@@ -16,6 +16,21 @@ module XssThroughDom {
/** A data flow source for XSS through DOM vulnerabilities. */ /** A data flow source for XSS through DOM vulnerabilities. */
abstract class Source extends Shared::Source { } abstract class Source extends Shared::Source { }
/**
* A barrier guard for XSS through the DOM.
*/
abstract class BarrierGuard extends DataFlow::Node {
/**
* Holds if this node acts as a barrier for data flow, blocking further flow from `e` if `this` evaluates to `outcome`.
*/
predicate blocksExpr(boolean outcome, Expr e) { none() }
}
/** A subclass of `BarrierGuard` that is used for backward compatibility with the old data flow library. */
abstract class BarrierGuardLegacy extends BarrierGuard, TaintTracking::SanitizerGuardNode {
override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
}
/** /**
* Gets an attribute name that could store user-controlled data. * Gets an attribute name that could store user-controlled data.
* *

52
javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomQuery.qll
View File

@@ -11,7 +11,44 @@ private import semmle.javascript.security.dataflow.UnsafeJQueryPluginCustomizati
/** /**
* A taint-tracking configuration for reasoning about XSS through the DOM. * A taint-tracking configuration for reasoning about XSS through the DOM.
*/ */
class Configuration extends TaintTracking::Configuration { module XssThroughDomConfig implements DataFlow::ConfigSig {
// NOTE: Gained FP in Lucifier due to spurious source but with more data flow (I think).
// TODO: Seen unexplained FP in meteor, likely due to spurious flow into a callback coming from another call site
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof DomBasedXss::Sink }
predicate isBarrier(DataFlow::Node node) {
node instanceof DomBasedXss::Sanitizer or
DomBasedXss::isOptionallySanitizedNode(node) or
node = DataFlow::MakeBarrierGuard<BarrierGuard>::getABarrierNode() or
node = DataFlow::MakeBarrierGuard<UnsafeJQuery::BarrierGuard>::getABarrierNode()
}
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
succ = DataFlow::globalVarRef("URL").getAMemberCall("createObjectURL") and
pred = succ.(DataFlow::InvokeNode).getArgument(0)
}
}
/**
* Taint-tracking configuration for reasoning about XSS through the DOM.
*/
module XssThroughDomFlow = TaintTracking::Global<XssThroughDomConfig>;
/**
* Holds if the `source,sink` pair should not be reported.
*/
bindingset[source, sink]
predicate isIgnoredSourceSinkPair(Source source, DomBasedXss::Sink sink) {
source.(DomPropertySource).getPropertyName() = "src" and
sink instanceof DomBasedXss::WriteUrlSink
}
/**
* DEPRECATED. Use the `XssThroughDomFlow` module instead.
*/
deprecated class Configuration extends TaintTracking::Configuration {
Configuration() { this = "XssThroughDOM" } Configuration() { this = "XssThroughDOM" }
override predicate isSource(DataFlow::Node source) { source instanceof Source } override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -49,14 +86,14 @@ class Configuration extends TaintTracking::Configuration {
} }
/** A test for the value of `typeof x`, restricting the potential types of `x`. */ /** A test for the value of `typeof x`, restricting the potential types of `x`. */
class TypeTestGuard extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNode { class TypeTestGuard extends BarrierGuardLegacy, DataFlow::ValueNode {
override EqualityTest astNode; override EqualityTest astNode;
Expr operand; Expr operand;
boolean polarity; boolean polarity;
TypeTestGuard() { TaintTracking::isStringTypeGuard(astNode, operand, polarity) } TypeTestGuard() { TaintTracking::isStringTypeGuard(astNode, operand, polarity) }
override predicate sanitizes(boolean outcome, Expr e) { override predicate blocksExpr(boolean outcome, Expr e) {
polarity = outcome and polarity = outcome and
e = operand e = operand
} }
@@ -64,9 +101,7 @@ class TypeTestGuard extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNo
private import semmle.javascript.security.dataflow.Xss::Shared as Shared private import semmle.javascript.security.dataflow.Xss::Shared as Shared
private class PrefixStringSanitizer extends TaintTracking::SanitizerGuardNode, private class PrefixStringSanitizer extends DomBasedXss::PrefixStringSanitizer {
DomBasedXss::PrefixStringSanitizer
{
PrefixStringSanitizer() { this = this } PrefixStringSanitizer() { this = this }
} }
@@ -74,11 +109,10 @@ private class PrefixString extends DataFlow::FlowLabel, DomBasedXss::PrefixStrin
PrefixString() { this = this } PrefixString() { this = this }
} }
private class QuoteGuard extends TaintTracking::SanitizerGuardNode, Shared::QuoteGuard { private class QuoteGuard extends Shared::QuoteGuard {
QuoteGuard() { this = this } QuoteGuard() { this = this }
} }
private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard private class ContainsHtmlGuard extends Shared::ContainsHtmlGuard {
{
ContainsHtmlGuard() { this = this } ContainsHtmlGuard() { this = this }
} }

8
javascript/ql/src/Security/CWE-079/XssThroughDom.ql
View File

@@ -14,9 +14,11 @@
import javascript import javascript
import semmle.javascript.security.dataflow.XssThroughDomQuery import semmle.javascript.security.dataflow.XssThroughDomQuery
import DataFlow::PathGraph import XssThroughDomFlow::PathGraph
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink from XssThroughDomFlow::PathNode source, XssThroughDomFlow::PathNode sink
where cfg.hasFlowPath(source, sink) where
XssThroughDomFlow::flowPath(source, sink) and
not isIgnoredSourceSinkPair(source.getNode(), sink.getNode())
select sink.getNode(), source, sink, select sink.getNode(), source, sink,
"$@ is reinterpreted as HTML without escaping meta-characters.", source.getNode(), "DOM text" "$@ is reinterpreted as HTML without escaping meta-characters.", source.getNode(), "DOM text"

13
javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/ConsistencyXssThroughDom.ql
View File

@@ -1,3 +1,14 @@
import javascript import javascript
import testUtilities.ConsistencyChecking import testUtilities.ConsistencyChecking
import semmle.javascript.security.dataflow.XssThroughDomQuery as ThroughDomXss import semmle.javascript.security.dataflow.XssThroughDomQuery
class ConsistencyConfig extends ConsistencyConfiguration {
ConsistencyConfig() { this = "ConsistencyConfig" }
override DataFlow::Node getAnAlert() {
exists(DataFlow::Node source |
XssThroughDomFlow::flow(source, result) and
not isIgnoredSourceSinkPair(source, result)
)
}
}

319
javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
View File

@@ -1,277 +1,128 @@
nodes
| forms.js:8:23:8:28 | values |
| forms.js:8:23:8:28 | values |
| forms.js:9:31:9:36 | values |
| forms.js:9:31:9:40 | values.foo |
| forms.js:9:31:9:40 | values.foo |
| forms.js:11:24:11:29 | values |
| forms.js:11:24:11:29 | values |
| forms.js:12:31:12:36 | values |
| forms.js:12:31:12:40 | values.bar |
| forms.js:12:31:12:40 | values.bar |
| forms.js:24:15:24:20 | values |
| forms.js:24:15:24:20 | values |
| forms.js:25:23:25:28 | values |
| forms.js:25:23:25:34 | values.email |
| forms.js:25:23:25:34 | values.email |
| forms.js:28:20:28:25 | values |
| forms.js:28:20:28:25 | values |
| forms.js:29:23:29:28 | values |
| forms.js:29:23:29:34 | values.email |
| forms.js:29:23:29:34 | values.email |
| forms.js:34:11:34:53 | values |
| forms.js:34:13:34:18 | values |
| forms.js:34:13:34:18 | values |
| forms.js:35:19:35:24 | values |
| forms.js:35:19:35:30 | values.email |
| forms.js:35:19:35:30 | values.email |
| forms.js:44:21:44:26 | values |
| forms.js:44:21:44:26 | values |
| forms.js:45:21:45:26 | values |
| forms.js:45:21:45:33 | values.stooge |
| forms.js:45:21:45:33 | values.stooge |
| forms.js:57:19:57:32 | e.target.value |
| forms.js:57:19:57:32 | e.target.value |
| forms.js:57:19:57:32 | e.target.value |
| forms.js:71:21:71:24 | data |
| forms.js:71:21:71:24 | data |
| forms.js:72:19:72:22 | data |
| forms.js:72:19:72:27 | data.name |
| forms.js:72:19:72:27 | data.name |
| forms.js:92:17:92:36 | values |
| forms.js:92:26:92:36 | getValues() |
| forms.js:92:26:92:36 | getValues() |
| forms.js:93:25:93:30 | values |
| forms.js:93:25:93:35 | values.name |
| forms.js:93:25:93:35 | values.name |
| forms.js:103:23:103:36 | e.target.value |
| forms.js:103:23:103:36 | e.target.value |
| forms.js:103:23:103:36 | e.target.value |
| forms.js:107:23:107:36 | e.target.value |
| forms.js:107:23:107:36 | e.target.value |
| forms.js:107:23:107:36 | e.target.value |
| xss-through-dom.js:2:16:2:34 | $("textarea").val() |
| xss-through-dom.js:2:16:2:34 | $("textarea").val() |
| xss-through-dom.js:2:16:2:34 | $("textarea").val() |
| xss-through-dom.js:4:16:4:40 | $(".som ... .text() |
| xss-through-dom.js:4:16:4:40 | $(".som ... .text() |
| xss-through-dom.js:4:16:4:40 | $(".som ... .text() |
| xss-through-dom.js:8:16:8:53 | $(".som ... arget") |
| xss-through-dom.js:8:16:8:53 | $(".som ... arget") |
| xss-through-dom.js:8:16:8:53 | $(".som ... arget") |
| xss-through-dom.js:11:3:11:42 | documen ... nerText |
| xss-through-dom.js:11:3:11:42 | documen ... nerText |
| xss-through-dom.js:11:3:11:42 | documen ... nerText |
| xss-through-dom.js:19:3:19:44 | documen ... Content |
| xss-through-dom.js:19:3:19:44 | documen ... Content |
| xss-through-dom.js:19:3:19:44 | documen ... Content |
| xss-through-dom.js:23:3:23:48 | documen ... ].value |
| xss-through-dom.js:23:3:23:48 | documen ... ].value |
| xss-through-dom.js:23:3:23:48 | documen ... ].value |
| xss-through-dom.js:27:3:27:61 | documen ... arget') |
| xss-through-dom.js:27:3:27:61 | documen ... arget') |
| xss-through-dom.js:27:3:27:61 | documen ... arget') |
| xss-through-dom.js:51:30:51:48 | $("textarea").val() |
| xss-through-dom.js:51:30:51:48 | $("textarea").val() |
| xss-through-dom.js:51:30:51:48 | $("textarea").val() |
| xss-through-dom.js:54:31:54:49 | $("textarea").val() |
| xss-through-dom.js:54:31:54:49 | $("textarea").val() |
| xss-through-dom.js:54:31:54:49 | $("textarea").val() |
| xss-through-dom.js:56:30:56:51 | $("inpu ... 0).name |
| xss-through-dom.js:56:30:56:51 | $("inpu ... 0).name |
| xss-through-dom.js:56:30:56:51 | $("inpu ... 0).name |
| xss-through-dom.js:57:30:57:67 | $("inpu ... "name") |
| xss-through-dom.js:57:30:57:67 | $("inpu ... "name") |
| xss-through-dom.js:57:30:57:67 | $("inpu ... "name") |
| xss-through-dom.js:61:30:61:69 | $(docum ... value") |
| xss-through-dom.js:61:30:61:69 | $(docum ... value") |
| xss-through-dom.js:61:30:61:69 | $(docum ... value") |
| xss-through-dom.js:64:30:64:40 | valMethod() |
| xss-through-dom.js:64:30:64:40 | valMethod() |
| xss-through-dom.js:64:30:64:40 | valMethod() |
| xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name |
| xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name |
| xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name |
| xss-through-dom.js:73:9:73:41 | selector |
| xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name |
| xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name |
| xss-through-dom.js:77:4:77:11 | selector |
| xss-through-dom.js:77:4:77:11 | selector |
| xss-through-dom.js:79:4:79:34 | documen ... t.value |
| xss-through-dom.js:79:4:79:34 | documen ... t.value |
| xss-through-dom.js:79:4:79:34 | documen ... t.value |
| xss-through-dom.js:81:17:81:43 | $('#foo ... rText') |
| xss-through-dom.js:81:17:81:43 | $('#foo ... rText') |
| xss-through-dom.js:81:17:81:43 | $('#foo ... rText') |
| xss-through-dom.js:84:8:84:30 | text |
| xss-through-dom.js:84:15:84:30 | $("text").text() |
| xss-through-dom.js:84:15:84:30 | $("text").text() |
| xss-through-dom.js:86:16:86:37 | anser.a ... l(text) |
| xss-through-dom.js:86:16:86:37 | anser.a ... l(text) |
| xss-through-dom.js:86:33:86:36 | text |
| xss-through-dom.js:87:16:87:40 | new ans ... s(text) |
| xss-through-dom.js:87:16:87:40 | new ans ... s(text) |
| xss-through-dom.js:87:36:87:39 | text |
| xss-through-dom.js:93:16:93:46 | $("#foo ... ].value |
| xss-through-dom.js:93:16:93:46 | $("#foo ... ].value |
| xss-through-dom.js:93:16:93:46 | $("#foo ... ].value |
| xss-through-dom.js:96:17:96:47 | $("#foo ... ].value |
| xss-through-dom.js:96:17:96:47 | $("#foo ... ].value |
| xss-through-dom.js:96:17:96:47 | $("#foo ... ].value |
| xss-through-dom.js:109:31:109:70 | "<a src ... oo</a>" |
| xss-through-dom.js:109:31:109:70 | "<a src ... oo</a>" |
| xss-through-dom.js:109:45:109:55 | this.el.src |
| xss-through-dom.js:109:45:109:55 | this.el.src |
| xss-through-dom.js:114:11:114:52 | src |
| xss-through-dom.js:114:17:114:52 | documen ... k").src |
| xss-through-dom.js:114:17:114:52 | documen ... k").src |
| xss-through-dom.js:115:16:115:18 | src |
| xss-through-dom.js:115:16:115:18 | src |
| xss-through-dom.js:117:26:117:28 | src |
| xss-through-dom.js:117:26:117:28 | src |
| xss-through-dom.js:120:23:120:37 | ev.target.files |
| xss-through-dom.js:120:23:120:37 | ev.target.files |
| xss-through-dom.js:120:23:120:40 | ev.target.files[0] |
| xss-through-dom.js:120:23:120:45 | ev.targ ... 0].name |
| xss-through-dom.js:120:23:120:45 | ev.targ ... 0].name |
| xss-through-dom.js:122:33:122:71 | URL.cre ... les[0]) |
| xss-through-dom.js:122:33:122:71 | URL.cre ... les[0]) |
| xss-through-dom.js:122:53:122:67 | ev.target.files |
| xss-through-dom.js:122:53:122:67 | ev.target.files |
| xss-through-dom.js:122:53:122:70 | ev.target.files[0] |
| xss-through-dom.js:130:6:130:68 | linkText |
| xss-through-dom.js:130:17:130:37 | wSelect ... tring() |
| xss-through-dom.js:130:17:130:37 | wSelect ... tring() |
| xss-through-dom.js:130:17:130:62 | wSelect ... tring() |
| xss-through-dom.js:130:17:130:68 | wSelect ... ) \|\| '' |
| xss-through-dom.js:130:42:130:62 | dSelect ... tring() |
| xss-through-dom.js:130:42:130:62 | dSelect ... tring() |
| xss-through-dom.js:131:19:131:26 | linkText |
| xss-through-dom.js:131:19:131:26 | linkText |
| xss-through-dom.js:132:16:132:23 | linkText |
| xss-through-dom.js:132:16:132:23 | linkText |
| xss-through-dom.js:139:11:139:52 | src |
| xss-through-dom.js:139:17:139:52 | documen ... k").src |
| xss-through-dom.js:139:17:139:52 | documen ... k").src |
| xss-through-dom.js:140:19:140:21 | src |
| xss-through-dom.js:140:19:140:21 | src |
| xss-through-dom.js:141:25:141:27 | src |
| xss-through-dom.js:141:25:141:27 | src |
| xss-through-dom.js:150:24:150:26 | src |
| xss-through-dom.js:150:24:150:26 | src |
| xss-through-dom.js:154:25:154:27 | msg |
| xss-through-dom.js:155:27:155:29 | msg |
| xss-through-dom.js:155:27:155:29 | msg |
| xss-through-dom.js:159:34:159:52 | $("textarea").val() |
| xss-through-dom.js:159:34:159:52 | $("textarea").val() |
edges edges
| forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values | | forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
| forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
| forms.js:9:31:9:36 | values | forms.js:9:31:9:40 | values.foo |
| forms.js:9:31:9:36 | values | forms.js:9:31:9:40 | values.foo | | forms.js:9:31:9:36 | values | forms.js:9:31:9:40 | values.foo |
| forms.js:11:24:11:29 | values | forms.js:12:31:12:36 | values | | forms.js:11:24:11:29 | values | forms.js:12:31:12:36 | values |
| forms.js:11:24:11:29 | values | forms.js:12:31:12:36 | values |
| forms.js:12:31:12:36 | values | forms.js:12:31:12:40 | values.bar |
| forms.js:12:31:12:36 | values | forms.js:12:31:12:40 | values.bar | | forms.js:12:31:12:36 | values | forms.js:12:31:12:40 | values.bar |
| forms.js:24:15:24:20 | values | forms.js:25:23:25:28 | values | | forms.js:24:15:24:20 | values | forms.js:25:23:25:28 | values |
| forms.js:24:15:24:20 | values | forms.js:25:23:25:28 | values |
| forms.js:25:23:25:28 | values | forms.js:25:23:25:34 | values.email |
| forms.js:25:23:25:28 | values | forms.js:25:23:25:34 | values.email | | forms.js:25:23:25:28 | values | forms.js:25:23:25:34 | values.email |
| forms.js:28:20:28:25 | values | forms.js:29:23:29:28 | values | | forms.js:28:20:28:25 | values | forms.js:29:23:29:28 | values |
| forms.js:28:20:28:25 | values | forms.js:29:23:29:28 | values |
| forms.js:29:23:29:28 | values | forms.js:29:23:29:34 | values.email |
| forms.js:29:23:29:28 | values | forms.js:29:23:29:34 | values.email | | forms.js:29:23:29:28 | values | forms.js:29:23:29:34 | values.email |
| forms.js:34:11:34:53 | values | forms.js:35:19:35:24 | values | | forms.js:34:11:34:53 | values | forms.js:35:19:35:24 | values |
| forms.js:34:13:34:18 | values | forms.js:34:11:34:53 | values | | forms.js:34:13:34:18 | values | forms.js:34:11:34:53 | values |
| forms.js:34:13:34:18 | values | forms.js:34:11:34:53 | values |
| forms.js:35:19:35:24 | values | forms.js:35:19:35:30 | values.email |
| forms.js:35:19:35:24 | values | forms.js:35:19:35:30 | values.email | | forms.js:35:19:35:24 | values | forms.js:35:19:35:30 | values.email |
| forms.js:44:21:44:26 | values | forms.js:45:21:45:26 | values | | forms.js:44:21:44:26 | values | forms.js:45:21:45:26 | values |
| forms.js:44:21:44:26 | values | forms.js:45:21:45:26 | values |
| forms.js:45:21:45:26 | values | forms.js:45:21:45:33 | values.stooge | | forms.js:45:21:45:26 | values | forms.js:45:21:45:33 | values.stooge |
| forms.js:45:21:45:26 | values | forms.js:45:21:45:33 | values.stooge |
| forms.js:57:19:57:32 | e.target.value | forms.js:57:19:57:32 | e.target.value |
| forms.js:71:21:71:24 | data | forms.js:72:19:72:22 | data | | forms.js:71:21:71:24 | data | forms.js:72:19:72:22 | data |
| forms.js:71:21:71:24 | data | forms.js:72:19:72:22 | data |
| forms.js:72:19:72:22 | data | forms.js:72:19:72:27 | data.name |
| forms.js:72:19:72:22 | data | forms.js:72:19:72:27 | data.name | | forms.js:72:19:72:22 | data | forms.js:72:19:72:27 | data.name |
| forms.js:92:17:92:36 | values | forms.js:93:25:93:30 | values | | forms.js:92:17:92:36 | values | forms.js:93:25:93:30 | values |
| forms.js:92:26:92:36 | getValues() | forms.js:92:17:92:36 | values | | forms.js:92:26:92:36 | getValues() | forms.js:92:17:92:36 | values |
| forms.js:92:26:92:36 | getValues() | forms.js:92:17:92:36 | values |
| forms.js:93:25:93:30 | values | forms.js:93:25:93:35 | values.name | | forms.js:93:25:93:30 | values | forms.js:93:25:93:35 | values.name |
| forms.js:93:25:93:30 | values | forms.js:93:25:93:35 | values.name |
| forms.js:103:23:103:36 | e.target.value | forms.js:103:23:103:36 | e.target.value |
| forms.js:107:23:107:36 | e.target.value | forms.js:107:23:107:36 | e.target.value |
| xss-through-dom.js:2:16:2:34 | $("textarea").val() | xss-through-dom.js:2:16:2:34 | $("textarea").val() |
| xss-through-dom.js:4:16:4:40 | $(".som ... .text() | xss-through-dom.js:4:16:4:40 | $(".som ... .text() |
| xss-through-dom.js:8:16:8:53 | $(".som ... arget") | xss-through-dom.js:8:16:8:53 | $(".som ... arget") |
| xss-through-dom.js:11:3:11:42 | documen ... nerText | xss-through-dom.js:11:3:11:42 | documen ... nerText |
| xss-through-dom.js:19:3:19:44 | documen ... Content | xss-through-dom.js:19:3:19:44 | documen ... Content |
| xss-through-dom.js:23:3:23:48 | documen ... ].value | xss-through-dom.js:23:3:23:48 | documen ... ].value |
| xss-through-dom.js:27:3:27:61 | documen ... arget') | xss-through-dom.js:27:3:27:61 | documen ... arget') |
| xss-through-dom.js:51:30:51:48 | $("textarea").val() | xss-through-dom.js:51:30:51:48 | $("textarea").val() |
| xss-through-dom.js:54:31:54:49 | $("textarea").val() | xss-through-dom.js:54:31:54:49 | $("textarea").val() |
| xss-through-dom.js:56:30:56:51 | $("inpu ... 0).name | xss-through-dom.js:56:30:56:51 | $("inpu ... 0).name |
| xss-through-dom.js:57:30:57:67 | $("inpu ... "name") | xss-through-dom.js:57:30:57:67 | $("inpu ... "name") |
| xss-through-dom.js:61:30:61:69 | $(docum ... value") | xss-through-dom.js:61:30:61:69 | $(docum ... value") |
| xss-through-dom.js:64:30:64:40 | valMethod() | xss-through-dom.js:64:30:64:40 | valMethod() |
| xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name |
| xss-through-dom.js:73:9:73:41 | selector | xss-through-dom.js:77:4:77:11 | selector |
| xss-through-dom.js:73:9:73:41 | selector | xss-through-dom.js:77:4:77:11 | selector | | xss-through-dom.js:73:9:73:41 | selector | xss-through-dom.js:77:4:77:11 | selector |
| xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | xss-through-dom.js:73:9:73:41 | selector | | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | xss-through-dom.js:73:9:73:41 | selector |
| xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | xss-through-dom.js:73:9:73:41 | selector |
| xss-through-dom.js:79:4:79:34 | documen ... t.value | xss-through-dom.js:79:4:79:34 | documen ... t.value |
| xss-through-dom.js:81:17:81:43 | $('#foo ... rText') | xss-through-dom.js:81:17:81:43 | $('#foo ... rText') |
| xss-through-dom.js:84:8:84:30 | text | xss-through-dom.js:86:33:86:36 | text | | xss-through-dom.js:84:8:84:30 | text | xss-through-dom.js:86:33:86:36 | text |
| xss-through-dom.js:84:8:84:30 | text | xss-through-dom.js:87:36:87:39 | text | | xss-through-dom.js:84:8:84:30 | text | xss-through-dom.js:87:36:87:39 | text |
| xss-through-dom.js:84:15:84:30 | $("text").text() | xss-through-dom.js:84:8:84:30 | text | | xss-through-dom.js:84:15:84:30 | $("text").text() | xss-through-dom.js:84:8:84:30 | text |
| xss-through-dom.js:84:15:84:30 | $("text").text() | xss-through-dom.js:84:8:84:30 | text |
| xss-through-dom.js:86:33:86:36 | text | xss-through-dom.js:86:16:86:37 | anser.a ... l(text) |
| xss-through-dom.js:86:33:86:36 | text | xss-through-dom.js:86:16:86:37 | anser.a ... l(text) | | xss-through-dom.js:86:33:86:36 | text | xss-through-dom.js:86:16:86:37 | anser.a ... l(text) |
| xss-through-dom.js:87:36:87:39 | text | xss-through-dom.js:87:16:87:40 | new ans ... s(text) | | xss-through-dom.js:87:36:87:39 | text | xss-through-dom.js:87:16:87:40 | new ans ... s(text) |
| xss-through-dom.js:87:36:87:39 | text | xss-through-dom.js:87:16:87:40 | new ans ... s(text) |
| xss-through-dom.js:93:16:93:46 | $("#foo ... ].value | xss-through-dom.js:93:16:93:46 | $("#foo ... ].value |
| xss-through-dom.js:96:17:96:47 | $("#foo ... ].value | xss-through-dom.js:96:17:96:47 | $("#foo ... ].value |
| xss-through-dom.js:109:45:109:55 | this.el.src | xss-through-dom.js:109:31:109:70 | "<a src ... oo</a>" |
| xss-through-dom.js:109:45:109:55 | this.el.src | xss-through-dom.js:109:31:109:70 | "<a src ... oo</a>" |
| xss-through-dom.js:109:45:109:55 | this.el.src | xss-through-dom.js:109:31:109:70 | "<a src ... oo</a>" |
| xss-through-dom.js:109:45:109:55 | this.el.src | xss-through-dom.js:109:31:109:70 | "<a src ... oo</a>" | | xss-through-dom.js:109:45:109:55 | this.el.src | xss-through-dom.js:109:31:109:70 | "<a src ... oo</a>" |
| xss-through-dom.js:114:11:114:52 | src | xss-through-dom.js:115:16:115:18 | src | | xss-through-dom.js:114:11:114:52 | src | xss-through-dom.js:115:16:115:18 | src |
| xss-through-dom.js:114:11:114:52 | src | xss-through-dom.js:115:16:115:18 | src |
| xss-through-dom.js:114:11:114:52 | src | xss-through-dom.js:117:26:117:28 | src |
| xss-through-dom.js:114:11:114:52 | src | xss-through-dom.js:117:26:117:28 | src | | xss-through-dom.js:114:11:114:52 | src | xss-through-dom.js:117:26:117:28 | src |
| xss-through-dom.js:114:17:114:52 | documen ... k").src | xss-through-dom.js:114:11:114:52 | src | | xss-through-dom.js:114:17:114:52 | documen ... k").src | xss-through-dom.js:114:11:114:52 | src |
| xss-through-dom.js:114:17:114:52 | documen ... k").src | xss-through-dom.js:114:11:114:52 | src | | xss-through-dom.js:120:23:120:37 | ev.target.files | xss-through-dom.js:120:23:120:45 | ev.targ ... 0].name |
| xss-through-dom.js:120:23:120:37 | ev.target.files | xss-through-dom.js:120:23:120:40 | ev.target.files[0] |
| xss-through-dom.js:120:23:120:37 | ev.target.files | xss-through-dom.js:120:23:120:40 | ev.target.files[0] |
| xss-through-dom.js:120:23:120:40 | ev.target.files[0] | xss-through-dom.js:120:23:120:45 | ev.targ ... 0].name |
| xss-through-dom.js:120:23:120:40 | ev.target.files[0] | xss-through-dom.js:120:23:120:45 | ev.targ ... 0].name |
| xss-through-dom.js:122:53:122:67 | ev.target.files | xss-through-dom.js:122:53:122:70 | ev.target.files[0] |
| xss-through-dom.js:122:53:122:67 | ev.target.files | xss-through-dom.js:122:53:122:70 | ev.target.files[0] | | xss-through-dom.js:122:53:122:67 | ev.target.files | xss-through-dom.js:122:53:122:70 | ev.target.files[0] |
| xss-through-dom.js:122:53:122:70 | ev.target.files[0] | xss-through-dom.js:122:33:122:71 | URL.cre ... les[0]) | | xss-through-dom.js:122:53:122:70 | ev.target.files[0] | xss-through-dom.js:122:33:122:71 | URL.cre ... les[0]) |
| xss-through-dom.js:122:53:122:70 | ev.target.files[0] | xss-through-dom.js:122:33:122:71 | URL.cre ... les[0]) |
| xss-through-dom.js:130:6:130:68 | linkText | xss-through-dom.js:131:19:131:26 | linkText |
| xss-through-dom.js:130:6:130:68 | linkText | xss-through-dom.js:131:19:131:26 | linkText | | xss-through-dom.js:130:6:130:68 | linkText | xss-through-dom.js:131:19:131:26 | linkText |
| xss-through-dom.js:130:6:130:68 | linkText | xss-through-dom.js:132:16:132:23 | linkText | | xss-through-dom.js:130:6:130:68 | linkText | xss-through-dom.js:132:16:132:23 | linkText |
| xss-through-dom.js:130:6:130:68 | linkText | xss-through-dom.js:132:16:132:23 | linkText | | xss-through-dom.js:130:17:130:37 | wSelect ... tring() | xss-through-dom.js:130:6:130:68 | linkText |
| xss-through-dom.js:130:17:130:37 | wSelect ... tring() | xss-through-dom.js:130:17:130:62 | wSelect ... tring() | | xss-through-dom.js:130:42:130:62 | dSelect ... tring() | xss-through-dom.js:130:6:130:68 | linkText |
| xss-through-dom.js:130:17:130:37 | wSelect ... tring() | xss-through-dom.js:130:17:130:62 | wSelect ... tring() |
| xss-through-dom.js:130:17:130:62 | wSelect ... tring() | xss-through-dom.js:130:17:130:68 | wSelect ... ) \|\| '' |
| xss-through-dom.js:130:17:130:68 | wSelect ... ) \|\| '' | xss-through-dom.js:130:6:130:68 | linkText |
| xss-through-dom.js:130:42:130:62 | dSelect ... tring() | xss-through-dom.js:130:17:130:62 | wSelect ... tring() |
| xss-through-dom.js:130:42:130:62 | dSelect ... tring() | xss-through-dom.js:130:17:130:62 | wSelect ... tring() |
| xss-through-dom.js:139:11:139:52 | src | xss-through-dom.js:140:19:140:21 | src |
| xss-through-dom.js:139:11:139:52 | src | xss-through-dom.js:140:19:140:21 | src | | xss-through-dom.js:139:11:139:52 | src | xss-through-dom.js:140:19:140:21 | src |
| xss-through-dom.js:139:11:139:52 | src | xss-through-dom.js:141:25:141:27 | src | | xss-through-dom.js:139:11:139:52 | src | xss-through-dom.js:141:25:141:27 | src |
| xss-through-dom.js:139:11:139:52 | src | xss-through-dom.js:141:25:141:27 | src |
| xss-through-dom.js:139:11:139:52 | src | xss-through-dom.js:150:24:150:26 | src |
| xss-through-dom.js:139:11:139:52 | src | xss-through-dom.js:150:24:150:26 | src | | xss-through-dom.js:139:11:139:52 | src | xss-through-dom.js:150:24:150:26 | src |
| xss-through-dom.js:139:17:139:52 | documen ... k").src | xss-through-dom.js:139:11:139:52 | src | | xss-through-dom.js:139:17:139:52 | documen ... k").src | xss-through-dom.js:139:11:139:52 | src |
| xss-through-dom.js:139:17:139:52 | documen ... k").src | xss-through-dom.js:139:11:139:52 | src |
| xss-through-dom.js:154:25:154:27 | msg | xss-through-dom.js:155:27:155:29 | msg |
| xss-through-dom.js:154:25:154:27 | msg | xss-through-dom.js:155:27:155:29 | msg | | xss-through-dom.js:154:25:154:27 | msg | xss-through-dom.js:155:27:155:29 | msg |
| xss-through-dom.js:159:34:159:52 | $("textarea").val() | xss-through-dom.js:154:25:154:27 | msg | | xss-through-dom.js:159:34:159:52 | $("textarea").val() | xss-through-dom.js:154:25:154:27 | msg |
| xss-through-dom.js:159:34:159:52 | $("textarea").val() | xss-through-dom.js:154:25:154:27 | msg | nodes
| forms.js:8:23:8:28 | values | semmle.label | values |
| forms.js:9:31:9:36 | values | semmle.label | values |
| forms.js:9:31:9:40 | values.foo | semmle.label | values.foo |
| forms.js:11:24:11:29 | values | semmle.label | values |
| forms.js:12:31:12:36 | values | semmle.label | values |
| forms.js:12:31:12:40 | values.bar | semmle.label | values.bar |
| forms.js:24:15:24:20 | values | semmle.label | values |
| forms.js:25:23:25:28 | values | semmle.label | values |
| forms.js:25:23:25:34 | values.email | semmle.label | values.email |
| forms.js:28:20:28:25 | values | semmle.label | values |
| forms.js:29:23:29:28 | values | semmle.label | values |
| forms.js:29:23:29:34 | values.email | semmle.label | values.email |
| forms.js:34:11:34:53 | values | semmle.label | values |
| forms.js:34:13:34:18 | values | semmle.label | values |
| forms.js:35:19:35:24 | values | semmle.label | values |
| forms.js:35:19:35:30 | values.email | semmle.label | values.email |
| forms.js:44:21:44:26 | values | semmle.label | values |
| forms.js:45:21:45:26 | values | semmle.label | values |
| forms.js:45:21:45:33 | values.stooge | semmle.label | values.stooge |
| forms.js:57:19:57:32 | e.target.value | semmle.label | e.target.value |
| forms.js:71:21:71:24 | data | semmle.label | data |
| forms.js:72:19:72:22 | data | semmle.label | data |
| forms.js:72:19:72:27 | data.name | semmle.label | data.name |
| forms.js:92:17:92:36 | values | semmle.label | values |
| forms.js:92:26:92:36 | getValues() | semmle.label | getValues() |
| forms.js:93:25:93:30 | values | semmle.label | values |
| forms.js:93:25:93:35 | values.name | semmle.label | values.name |
| forms.js:103:23:103:36 | e.target.value | semmle.label | e.target.value |
| forms.js:107:23:107:36 | e.target.value | semmle.label | e.target.value |
| xss-through-dom.js:2:16:2:34 | $("textarea").val() | semmle.label | $("textarea").val() |
| xss-through-dom.js:4:16:4:40 | $(".som ... .text() | semmle.label | $(".som ... .text() |
| xss-through-dom.js:8:16:8:53 | $(".som ... arget") | semmle.label | $(".som ... arget") |
| xss-through-dom.js:11:3:11:42 | documen ... nerText | semmle.label | documen ... nerText |
| xss-through-dom.js:19:3:19:44 | documen ... Content | semmle.label | documen ... Content |
| xss-through-dom.js:23:3:23:48 | documen ... ].value | semmle.label | documen ... ].value |
| xss-through-dom.js:27:3:27:61 | documen ... arget') | semmle.label | documen ... arget') |
| xss-through-dom.js:51:30:51:48 | $("textarea").val() | semmle.label | $("textarea").val() |
| xss-through-dom.js:54:31:54:49 | $("textarea").val() | semmle.label | $("textarea").val() |
| xss-through-dom.js:56:30:56:51 | $("inpu ... 0).name | semmle.label | $("inpu ... 0).name |
| xss-through-dom.js:57:30:57:67 | $("inpu ... "name") | semmle.label | $("inpu ... "name") |
| xss-through-dom.js:61:30:61:69 | $(docum ... value") | semmle.label | $(docum ... value") |
| xss-through-dom.js:64:30:64:40 | valMethod() | semmle.label | valMethod() |
| xss-through-dom.js:71:11:71:32 | $("inpu ... 0).name | semmle.label | $("inpu ... 0).name |
| xss-through-dom.js:73:9:73:41 | selector | semmle.label | selector |
| xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | semmle.label | $("inpu ... 0).name |
| xss-through-dom.js:77:4:77:11 | selector | semmle.label | selector |
| xss-through-dom.js:79:4:79:34 | documen ... t.value | semmle.label | documen ... t.value |
| xss-through-dom.js:81:17:81:43 | $('#foo ... rText') | semmle.label | $('#foo ... rText') |
| xss-through-dom.js:84:8:84:30 | text | semmle.label | text |
| xss-through-dom.js:84:15:84:30 | $("text").text() | semmle.label | $("text").text() |
| xss-through-dom.js:86:16:86:37 | anser.a ... l(text) | semmle.label | anser.a ... l(text) |
| xss-through-dom.js:86:33:86:36 | text | semmle.label | text |
| xss-through-dom.js:87:16:87:40 | new ans ... s(text) | semmle.label | new ans ... s(text) |
| xss-through-dom.js:87:36:87:39 | text | semmle.label | text |
| xss-through-dom.js:93:16:93:46 | $("#foo ... ].value | semmle.label | $("#foo ... ].value |
| xss-through-dom.js:96:17:96:47 | $("#foo ... ].value | semmle.label | $("#foo ... ].value |
| xss-through-dom.js:109:31:109:70 | "<a src ... oo</a>" | semmle.label | "<a src ... oo</a>" |
| xss-through-dom.js:109:45:109:55 | this.el.src | semmle.label | this.el.src |
| xss-through-dom.js:114:11:114:52 | src | semmle.label | src |
| xss-through-dom.js:114:17:114:52 | documen ... k").src | semmle.label | documen ... k").src |
| xss-through-dom.js:115:16:115:18 | src | semmle.label | src |
| xss-through-dom.js:117:26:117:28 | src | semmle.label | src |
| xss-through-dom.js:120:23:120:37 | ev.target.files | semmle.label | ev.target.files |
| xss-through-dom.js:120:23:120:45 | ev.targ ... 0].name | semmle.label | ev.targ ... 0].name |
| xss-through-dom.js:122:33:122:71 | URL.cre ... les[0]) | semmle.label | URL.cre ... les[0]) |
| xss-through-dom.js:122:53:122:67 | ev.target.files | semmle.label | ev.target.files |
| xss-through-dom.js:122:53:122:70 | ev.target.files[0] | semmle.label | ev.target.files[0] |
| xss-through-dom.js:130:6:130:68 | linkText | semmle.label | linkText |
| xss-through-dom.js:130:17:130:37 | wSelect ... tring() | semmle.label | wSelect ... tring() |
| xss-through-dom.js:130:42:130:62 | dSelect ... tring() | semmle.label | dSelect ... tring() |
| xss-through-dom.js:131:19:131:26 | linkText | semmle.label | linkText |
| xss-through-dom.js:132:16:132:23 | linkText | semmle.label | linkText |
| xss-through-dom.js:139:11:139:52 | src | semmle.label | src |
| xss-through-dom.js:139:17:139:52 | documen ... k").src | semmle.label | documen ... k").src |
| xss-through-dom.js:140:19:140:21 | src | semmle.label | src |
| xss-through-dom.js:141:25:141:27 | src | semmle.label | src |
| xss-through-dom.js:150:24:150:26 | src | semmle.label | src |
| xss-through-dom.js:154:25:154:27 | msg | semmle.label | msg |
| xss-through-dom.js:155:27:155:29 | msg | semmle.label | msg |
| xss-through-dom.js:159:34:159:52 | $("textarea").val() | semmle.label | $("textarea").val() |
subpaths
#select #select
| forms.js:9:31:9:40 | values.foo | forms.js:8:23:8:28 | values | forms.js:9:31:9:40 | values.foo | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:8:23:8:28 | values | DOM text | | forms.js:9:31:9:40 | values.foo | forms.js:8:23:8:28 | values | forms.js:9:31:9:40 | values.foo | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:8:23:8:28 | values | DOM text |
| forms.js:12:31:12:40 | values.bar | forms.js:11:24:11:29 | values | forms.js:12:31:12:40 | values.bar | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:11:24:11:29 | values | DOM text | | forms.js:12:31:12:40 | values.bar | forms.js:11:24:11:29 | values | forms.js:12:31:12:40 | values.bar | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:11:24:11:29 | values | DOM text |