Merge pull request #2429 from erik-krogh/typeAheadSink

Approved by esbena
2025-12-21 19:26:31 +01:00 · 2019-12-03 08:07:25 +00:00
parent e441e432ff ea9d6189de
commit cfcd18b411
11 changed files with 920 additions and 0 deletions
--- a/change-notes/1.24/analysis-javascript.md
+++ b/change-notes/1.24/analysis-javascript.md
@@ -4,6 +4,7 @@

 * Support for the following frameworks and libraries has been improved:
  - [react](https://www.npmjs.com/package/react)
+  - [typeahead.js](https://www.npmjs.com/package/typeahead.js)
  - [Handlebars](https://www.npmjs.com/package/handlebars)

 - Imports with the `.js` extension can now be resolved to a TypeScript file,
@@ -26,3 +27,4 @@
 ## Changes to libraries

 * The predicates `RegExpTerm.getSuccessor` and `RegExpTerm.getPredecessor` have been changed to reflect textual, not operational, matching order. This only makes a difference in lookbehind assertions, which are operationally matched backwards. Previously, `getSuccessor` would mimick this, so in an assertion `(?<=ab)` the term `b` would be considered the predecessor, not the successor, of `a`. Textually, however, `a` is still matched before `b`, and this is the order we now follow.
+
--- a/javascript/ql/src/javascript.qll
+++ b/javascript/ql/src/javascript.qll
@@ -92,6 +92,7 @@ import semmle.javascript.frameworks.SQL
 import semmle.javascript.frameworks.SocketIO
 import semmle.javascript.frameworks.StringFormatters
 import semmle.javascript.frameworks.TorrentLibraries
+import semmle.javascript.frameworks.Typeahead
 import semmle.javascript.frameworks.UriLibraries
 import semmle.javascript.frameworks.Vue
 import semmle.javascript.frameworks.XmlParsers
--- a/javascript/ql/src/semmle/javascript/frameworks/Typeahead.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Typeahead.qll
@@ -0,0 +1,135 @@
+/**
+ * Provides classes for working with typeahead.js code (https://www.npmjs.com/package/typeahead.js).
+ */
+
+import javascript
+
+module Typeahead {
+  /**
+   * A reference to the Bloodhound class, which is a utility-class for generating auto-complete suggestions.
+   */
+  private class Bloodhound extends DataFlow::SourceNode {
+    Bloodhound() {
+      this = DataFlow::moduleImport("typeahead.js/dist/bloodhound.js")
+      or
+      this = DataFlow::moduleImport("bloodhound-js")
+      or
+      this.accessesGlobal("Bloodhound")
+    }
+  }
+
+  /**
+   * An instance of the Bloodhound class.
+   */
+  private class BloodhoundInstance extends DataFlow::NewNode {
+    BloodhoundInstance() { this = any(Bloodhound b).getAnInstantiation() }
+  }
+
+  /**
+   * An instance of of the Bloodhound class that is used to fetch data from a remote server.
+   */
+  private class RemoteBloodhoundClientRequest extends ClientRequest::Range, BloodhoundInstance {
+    DataFlow::ValueNode option;
+
+    RemoteBloodhoundClientRequest() {
+      exists(string optionName | optionName = "remote" or optionName = "prefetch" |
+        option = this.getOptionArgument(0, optionName)
+      )
+    }
+
+    /**
+     * Gets the URL for this Bloodhound instance.
+     * The Bloodhound API specifies that the "remote" and "prefetch" options are either strings,
+     * or an object containing an "url" property.
+     */
+    override DataFlow::Node getUrl() {
+      result = option.getALocalSource().getAPropertyWrite("url").getRhs()
+      or
+      result = option
+    }
+
+    override DataFlow::Node getHost() { none() }
+
+    override DataFlow::Node getADataNode() { none() }
+
+    /** Gets a Bloodhound instance that fetches remote server data. */
+    private DataFlow::SourceNode ref(DataFlow::TypeTracker t) {
+      t.start() and result = this
+      or
+      exists(DataFlow::TypeTracker t2 | result = ref(t2).track(t2, t))
+    }
+
+    /** Gets a Bloodhound instance that fetches remote server data. */
+    private DataFlow::SourceNode ref() { result = ref(DataFlow::TypeTracker::end()) }
+
+    override DataFlow::Node getAResponseDataNode(string responseType, boolean promise) {
+      responseType = "json" and
+      promise = false and
+      exists(TypeaheadSource source |
+        ref() = source.getALocalSource() or ref().getAMethodCall("ttAdapter") = source
+      |
+        result = source.getASuggestion()
+      )
+    }
+  }
+
+  /**
+   * An invocation of the `typeahead.js` library.
+   */
+  private class TypeaheadCall extends DataFlow::CallNode {
+    TypeaheadCall() {
+      // Matches `$(...).typeahead(..)`
+      this = JQuery::objectRef().getAMethodCall("typeahead")
+    }
+  }
+
+  /**
+   * A function that generates suggestions to typeahead.js.
+   */
+  class TypeaheadSuggestionFunction extends DataFlow::FunctionNode {
+    TypeaheadCall typeaheadCall;
+
+    TypeaheadSuggestionFunction() {
+      // Matches `$(...).typeahead({..}, { templates: { suggestion: <this> } })`.
+      this = typeaheadCall
+            .getOptionArgument(1, "templates")
+            .getALocalSource()
+            .getAPropertyWrite("suggestion")
+            .getRhs()
+            .getAFunctionValue()
+    }
+
+    /**
+     * Gets the call to typeahead.js where this suggestion function is used.
+     */
+    TypeaheadCall getTypeaheadCall() { result = typeaheadCall }
+  }
+
+  /**
+   * A `source` option for a typeahead.js plugin instance.
+   */
+  private class TypeaheadSource extends DataFlow::ValueNode {
+    TypeaheadCall typeaheadCall;
+
+    TypeaheadSource() { this = typeaheadCall.getOptionArgument(1, "source") }
+
+    /** Gets a node for a suggestion that this source motivates. */
+    DataFlow::Node getASuggestion() {
+      exists(TypeaheadSuggestionFunction suggestionCallback |
+        suggestionCallback.getTypeaheadCall() = typeaheadCall and
+        result = suggestionCallback.getParameter(0)
+      )
+    }
+  }
+
+  /**
+   * A taint step that models that a function in the `source` of typeahead.js is used to determine the input to the suggestion function.
+   */
+  private class TypeaheadSourceTaintStep extends TypeaheadSource, TaintTracking::AdditionalTaintStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      // Matches `$(...).typeahead({..}, {source: function(q, cb) {..;cb(<pred>);..}, templates: { suggestion: function(<succ>) {} } })`.
+      pred = this.getAFunctionValue().getParameter([1 .. 2]).getACall().getAnArgument() and
+      succ = this.getASuggestion()
+    }
+  }
+}
--- a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
@@ -96,6 +96,8 @@ module DomBasedXss {
        this = mcn.getArgument(1)
      )
      or
+      this = any(Typeahead::TypeaheadSuggestionFunction f).getAReturn()
+      or
      this = any(Handlebars::SafeString s).getAnArgument()
    }
  }
--- a/javascript/ql/test/library-tests/frameworks/typeahead/test.expected
+++ b/javascript/ql/test/library-tests/frameworks/typeahead/test.expected
@@ -0,0 +1,8 @@
+url
+| tst.js:3:14:5:6 | {\\n\\t     ... \\n\\t    } |
+| tst.js:4:15:4:52 | '/api/d ... %QUERY' |
+| tst.js:8:16:8:29 | searchIndexUrl |
+response
+| json | false | tst.js:15:35:15:46 | taintedParam |
+suggestionFunction
+| tst.js:15:25:17:4 | functio ... \\n\\t\\n\\t\\t\\t} |
--- a/javascript/ql/test/library-tests/frameworks/typeahead/test.ql
+++ b/javascript/ql/test/library-tests/frameworks/typeahead/test.ql
@@ -0,0 +1,13 @@
+import javascript
+
+query DataFlow::Node url() {
+   result = any(ClientRequest r).getUrl()	
+}
+
+query DataFlow::Node response(string responseType, boolean promise) {
+   result = any(ClientRequest r).getAResponseDataNode(responseType, promise)	
+}
+
+query DataFlow::Node suggestionFunction() {
+  result = any(Typeahead::TypeaheadSuggestionFunction t)	
+}
--- a/javascript/ql/test/library-tests/frameworks/typeahead/tst.js
+++ b/javascript/ql/test/library-tests/frameworks/typeahead/tst.js
@@ -0,0 +1,20 @@
+(function () {
+	var foo = new Bloodhound({
+	    remote: {
+	        url: '/api/destinations/search?text=%QUERY'
+	    }
+	});
+	var bar = new Bloodhound({
+	    prefetch: searchIndexUrl
+	});
+	
+	$('.typeahead').typeahead({}, {
+        name: 'prefetchedCities',
+        source: bar.ttAdapter(),
+        templates: {
+            suggestion: function (taintedParam) {
+	
+			},
+        }
+    });
+})();
--- a/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected
@@ -331,6 +331,14 @@ nodes
 | tst.js:313:35:313:42 | location |
 | tst.js:313:35:313:42 | location |
 | tst.js:313:35:313:42 | location |
+| typeahead.js:20:13:20:45 | target |
+| typeahead.js:20:22:20:38 | document.location |
+| typeahead.js:20:22:20:38 | document.location |
+| typeahead.js:20:22:20:45 | documen ... .search |
+| typeahead.js:21:12:21:17 | target |
+| typeahead.js:24:30:24:32 | val |
+| typeahead.js:25:18:25:20 | val |
+| typeahead.js:25:18:25:20 | val |
 | v-html.vue:2:8:2:23 | v-html=tainted |
 | v-html.vue:2:8:2:23 | v-html=tainted |
 | v-html.vue:6:42:6:58 | document.location |
@@ -630,6 +638,13 @@ edges
 | tst.js:307:10:307:10 | e | tst.js:308:20:308:20 | e |
 | tst.js:307:10:307:10 | e | tst.js:308:20:308:20 | e |
 | tst.js:313:35:313:42 | location | tst.js:313:35:313:42 | location |
+| typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target |
+| typeahead.js:20:22:20:38 | document.location | typeahead.js:20:22:20:45 | documen ... .search |
+| typeahead.js:20:22:20:38 | document.location | typeahead.js:20:22:20:45 | documen ... .search |
+| typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target |
+| typeahead.js:21:12:21:17 | target | typeahead.js:24:30:24:32 | val |
+| typeahead.js:24:30:24:32 | val | typeahead.js:25:18:25:20 | val |
+| typeahead.js:24:30:24:32 | val | typeahead.js:25:18:25:20 | val |
 | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
 | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
 | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
@@ -721,6 +736,7 @@ edges
 | tst.js:300:20:300:20 | e | tst.js:298:9:298:16 | location | tst.js:300:20:300:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:298:9:298:16 | location | user-provided value |
 | tst.js:308:20:308:20 | e | tst.js:305:10:305:17 | location | tst.js:308:20:308:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:305:10:305:17 | location | user-provided value |
 | tst.js:313:35:313:42 | location | tst.js:313:35:313:42 | location | tst.js:313:35:313:42 | location | Cross-site scripting vulnerability due to $@. | tst.js:313:35:313:42 | location | user-provided value |
+| typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:38 | document.location | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:38 | document.location | user-provided value |
 | v-html.vue:2:8:2:23 | v-html=tainted | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | Cross-site scripting vulnerability due to $@. | v-html.vue:6:42:6:58 | document.location | user-provided value |
 | winjs.js:3:43:3:49 | tainted | winjs.js:2:17:2:33 | document.location | winjs.js:3:43:3:49 | tainted | Cross-site scripting vulnerability due to $@. | winjs.js:2:17:2:33 | document.location | user-provided value |
 | winjs.js:4:43:4:49 | tainted | winjs.js:2:17:2:33 | document.location | winjs.js:4:43:4:49 | tainted | Cross-site scripting vulnerability due to $@. | winjs.js:2:17:2:33 | document.location | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssWithAdditionalSources.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssWithAdditionalSources.expected
@@ -0,0 +1,669 @@
+nodes
+| addEventListener.js:1:43:1:47 | event |
+| addEventListener.js:1:43:1:47 | event |
+| addEventListener.js:2:20:2:24 | event |
+| addEventListener.js:2:20:2:29 | event.data |
+| addEventListener.js:2:20:2:29 | event.data |
+| addEventListener.js:5:43:5:48 | data |
+| addEventListener.js:5:43:5:48 | {data} |
+| addEventListener.js:5:43:5:48 | {data} |
+| addEventListener.js:5:44:5:47 | data |
+| addEventListener.js:6:20:6:23 | data |
+| addEventListener.js:6:20:6:23 | data |
+| addEventListener.js:10:21:10:25 | event |
+| addEventListener.js:10:21:10:25 | event |
+| addEventListener.js:12:24:12:28 | event |
+| addEventListener.js:12:24:12:33 | event.data |
+| addEventListener.js:12:24:12:33 | event.data |
+| exception-xss.js:2:9:2:31 | foo |
+| exception-xss.js:2:15:2:31 | document.location |
+| exception-xss.js:2:15:2:31 | document.location |
+| exception-xss.js:86:17:86:19 | foo |
+| exception-xss.js:86:17:86:19 | foo |
+| jquery.js:2:7:2:40 | tainted |
+| jquery.js:2:17:2:33 | document.location |
+| jquery.js:2:17:2:33 | document.location |
+| jquery.js:2:17:2:40 | documen ... .search |
+| jquery.js:4:5:4:11 | tainted |
+| jquery.js:4:5:4:11 | tainted |
+| jquery.js:7:5:7:34 | "<div i ... + "\\">" |
+| jquery.js:7:5:7:34 | "<div i ... + "\\">" |
+| jquery.js:7:20:7:26 | tainted |
+| jquery.js:8:18:8:34 | "XSS: " + tainted |
+| jquery.js:8:18:8:34 | "XSS: " + tainted |
+| jquery.js:8:28:8:34 | tainted |
+| nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
+| nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
+| nodemailer.js:13:50:13:66 | req.query.message |
+| nodemailer.js:13:50:13:66 | req.query.message |
+| react-native.js:7:7:7:33 | tainted |
+| react-native.js:7:17:7:33 | req.param("code") |
+| react-native.js:7:17:7:33 | req.param("code") |
+| react-native.js:8:18:8:24 | tainted |
+| react-native.js:8:18:8:24 | tainted |
+| react-native.js:9:27:9:33 | tainted |
+| react-native.js:9:27:9:33 | tainted |
+| stored-xss.js:2:39:2:55 | document.location |
+| stored-xss.js:2:39:2:55 | document.location |
+| stored-xss.js:2:39:2:62 | documen ... .search |
+| stored-xss.js:3:35:3:51 | document.location |
+| stored-xss.js:3:35:3:51 | document.location |
+| stored-xss.js:3:35:3:58 | documen ... .search |
+| stored-xss.js:5:20:5:52 | session ... ssion') |
+| stored-xss.js:5:20:5:52 | session ... ssion') |
+| stored-xss.js:8:20:8:48 | localSt ... local') |
+| stored-xss.js:8:20:8:48 | localSt ... local') |
+| string-manipulations.js:3:16:3:32 | document.location |
+| string-manipulations.js:3:16:3:32 | document.location |
+| string-manipulations.js:3:16:3:32 | document.location |
+| string-manipulations.js:4:16:4:32 | document.location |
+| string-manipulations.js:4:16:4:32 | document.location |
+| string-manipulations.js:4:16:4:37 | documen ... on.href |
+| string-manipulations.js:4:16:4:37 | documen ... on.href |
+| string-manipulations.js:5:16:5:32 | document.location |
+| string-manipulations.js:5:16:5:32 | document.location |
+| string-manipulations.js:5:16:5:37 | documen ... on.href |
+| string-manipulations.js:5:16:5:47 | documen ... lueOf() |
+| string-manipulations.js:5:16:5:47 | documen ... lueOf() |
+| string-manipulations.js:6:16:6:32 | document.location |
+| string-manipulations.js:6:16:6:32 | document.location |
+| string-manipulations.js:6:16:6:37 | documen ... on.href |
+| string-manipulations.js:6:16:6:43 | documen ... f.sup() |
+| string-manipulations.js:6:16:6:43 | documen ... f.sup() |
+| string-manipulations.js:7:16:7:32 | document.location |
+| string-manipulations.js:7:16:7:32 | document.location |
+| string-manipulations.js:7:16:7:37 | documen ... on.href |
+| string-manipulations.js:7:16:7:51 | documen ... rCase() |
+| string-manipulations.js:7:16:7:51 | documen ... rCase() |
+| string-manipulations.js:8:16:8:32 | document.location |
+| string-manipulations.js:8:16:8:32 | document.location |
+| string-manipulations.js:8:16:8:37 | documen ... on.href |
+| string-manipulations.js:8:16:8:48 | documen ... mLeft() |
+| string-manipulations.js:8:16:8:48 | documen ... mLeft() |
+| string-manipulations.js:9:16:9:58 | String. ... n.href) |
+| string-manipulations.js:9:16:9:58 | String. ... n.href) |
+| string-manipulations.js:9:36:9:52 | document.location |
+| string-manipulations.js:9:36:9:52 | document.location |
+| string-manipulations.js:9:36:9:57 | documen ... on.href |
+| string-manipulations.js:10:16:10:45 | String( ... n.href) |
+| string-manipulations.js:10:16:10:45 | String( ... n.href) |
+| string-manipulations.js:10:23:10:39 | document.location |
+| string-manipulations.js:10:23:10:39 | document.location |
+| string-manipulations.js:10:23:10:44 | documen ... on.href |
+| translate.js:6:7:6:39 | target |
+| translate.js:6:16:6:32 | document.location |
+| translate.js:6:16:6:32 | document.location |
+| translate.js:6:16:6:39 | documen ... .search |
+| translate.js:7:42:7:47 | target |
+| translate.js:7:42:7:60 | target.substring(1) |
+| translate.js:9:27:9:50 | searchP ... 'term') |
+| translate.js:9:27:9:50 | searchP ... 'term') |
+| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) |
+| tst3.js:2:23:2:74 | decodeU ... str(1)) |
+| tst3.js:2:42:2:56 | window.location |
+| tst3.js:2:42:2:56 | window.location |
+| tst3.js:2:42:2:63 | window. ... .search |
+| tst3.js:2:42:2:73 | window. ... bstr(1) |
+| tst3.js:4:25:4:28 | data |
+| tst3.js:4:25:4:32 | data.src |
+| tst3.js:4:25:4:32 | data.src |
+| tst3.js:5:26:5:29 | data |
+| tst3.js:5:26:5:31 | data.p |
+| tst3.js:5:26:5:31 | data.p |
+| tst3.js:7:32:7:35 | data |
+| tst3.js:7:32:7:37 | data.p |
+| tst3.js:7:32:7:37 | data.p |
+| tst3.js:9:37:9:40 | data |
+| tst3.js:9:37:9:42 | data.p |
+| tst3.js:9:37:9:42 | data.p |
+| tst3.js:10:38:10:41 | data |
+| tst3.js:10:38:10:43 | data.p |
+| tst3.js:10:38:10:43 | data.p |
+| tst.js:2:7:2:39 | target |
+| tst.js:2:16:2:32 | document.location |
+| tst.js:2:16:2:32 | document.location |
+| tst.js:2:16:2:39 | documen ... .search |
+| tst.js:5:18:5:23 | target |
+| tst.js:5:18:5:23 | target |
+| tst.js:8:18:8:126 | "<OPTIO ... PTION>" |
+| tst.js:8:18:8:126 | "<OPTIO ... PTION>" |
+| tst.js:8:37:8:53 | document.location |
+| tst.js:8:37:8:53 | document.location |
+| tst.js:8:37:8:58 | documen ... on.href |
+| tst.js:8:37:8:114 | documen ... t=")+8) |
+| tst.js:12:5:12:42 | '<div s ...  'px">' |
+| tst.js:12:5:12:42 | '<div s ...  'px">' |
+| tst.js:12:28:12:33 | target |
+| tst.js:19:25:19:41 | document.location |
+| tst.js:19:25:19:41 | document.location |
+| tst.js:20:18:20:35 | params.get('name') |
+| tst.js:20:18:20:35 | params.get('name') |
+| tst.js:23:42:23:47 | target |
+| tst.js:23:42:23:60 | target.substring(1) |
+| tst.js:24:18:24:41 | searchP ... 'name') |
+| tst.js:24:18:24:41 | searchP ... 'name') |
+| tst.js:27:14:27:19 | target |
+| tst.js:29:18:29:23 | target |
+| tst.js:29:18:29:23 | target |
+| tst.js:31:5:31:21 | document.location |
+| tst.js:31:5:31:21 | document.location |
+| tst.js:31:5:31:28 | documen ... .search |
+| tst.js:34:10:34:26 | document.location |
+| tst.js:34:10:34:26 | document.location |
+| tst.js:34:10:34:33 | documen ... .search |
+| tst.js:37:16:37:20 | bar() |
+| tst.js:37:16:37:20 | bar() |
+| tst.js:43:16:43:44 | baz(doc ... search) |
+| tst.js:43:16:43:44 | baz(doc ... search) |
+| tst.js:43:20:43:36 | document.location |
+| tst.js:43:20:43:36 | document.location |
+| tst.js:43:20:43:43 | documen ... .search |
+| tst.js:49:16:49:45 | wrap(do ... search) |
+| tst.js:49:16:49:45 | wrap(do ... search) |
+| tst.js:49:21:49:37 | document.location |
+| tst.js:49:21:49:37 | document.location |
+| tst.js:49:21:49:44 | documen ... .search |
+| tst.js:57:16:57:45 | chop(do ... search) |
+| tst.js:57:16:57:45 | chop(do ... search) |
+| tst.js:57:21:57:37 | document.location |
+| tst.js:57:21:57:37 | document.location |
+| tst.js:57:21:57:44 | documen ... .search |
+| tst.js:59:16:59:45 | chop(do ... search) |
+| tst.js:59:16:59:45 | chop(do ... search) |
+| tst.js:59:21:59:37 | document.location |
+| tst.js:59:21:59:37 | document.location |
+| tst.js:59:21:59:44 | documen ... .search |
+| tst.js:61:16:61:32 | wrap(chop(bar())) |
+| tst.js:61:16:61:32 | wrap(chop(bar())) |
+| tst.js:61:21:61:31 | chop(bar()) |
+| tst.js:61:26:61:30 | bar() |
+| tst.js:63:34:63:34 | s |
+| tst.js:65:18:65:18 | s |
+| tst.js:65:18:65:18 | s |
+| tst.js:67:25:67:41 | document.location |
+| tst.js:67:25:67:41 | document.location |
+| tst.js:67:25:67:48 | documen ... .search |
+| tst.js:68:25:68:41 | document.location |
+| tst.js:68:25:68:41 | document.location |
+| tst.js:68:25:68:48 | documen ... .search |
+| tst.js:71:16:71:20 | bar() |
+| tst.js:71:16:71:20 | bar() |
+| tst.js:73:1:73:27 | [,docum ... search] |
+| tst.js:73:3:73:19 | document.location |
+| tst.js:73:3:73:19 | document.location |
+| tst.js:73:3:73:26 | documen ... .search |
+| tst.js:73:46:73:46 | x |
+| tst.js:76:20:76:20 | x |
+| tst.js:76:20:76:20 | x |
+| tst.js:80:49:80:65 | document.location |
+| tst.js:80:49:80:65 | document.location |
+| tst.js:80:49:80:72 | documen ... .search |
+| tst.js:80:49:80:72 | documen ... .search |
+| tst.js:84:26:84:42 | document.location |
+| tst.js:84:26:84:42 | document.location |
+| tst.js:84:26:84:49 | documen ... .search |
+| tst.js:84:26:84:49 | documen ... .search |
+| tst.js:85:25:85:41 | document.location |
+| tst.js:85:25:85:41 | document.location |
+| tst.js:85:25:85:48 | documen ... .search |
+| tst.js:85:25:85:48 | documen ... .search |
+| tst.js:87:33:87:49 | document.location |
+| tst.js:87:33:87:49 | document.location |
+| tst.js:87:33:87:56 | documen ... .search |
+| tst.js:87:33:87:56 | documen ... .search |
+| tst.js:88:32:88:48 | document.location |
+| tst.js:88:32:88:48 | document.location |
+| tst.js:88:32:88:55 | documen ... .search |
+| tst.js:88:32:88:55 | documen ... .search |
+| tst.js:93:39:93:55 | document.location |
+| tst.js:93:39:93:55 | document.location |
+| tst.js:93:39:93:62 | documen ... .search |
+| tst.js:93:39:93:62 | documen ... .search |
+| tst.js:99:30:99:46 | document.location |
+| tst.js:99:30:99:46 | document.location |
+| tst.js:99:30:99:53 | documen ... .search |
+| tst.js:99:30:99:53 | documen ... .search |
+| tst.js:105:25:105:41 | document.location |
+| tst.js:105:25:105:41 | document.location |
+| tst.js:105:25:105:48 | documen ... .search |
+| tst.js:105:25:105:48 | documen ... .search |
+| tst.js:110:7:110:44 | v |
+| tst.js:110:11:110:27 | document.location |
+| tst.js:110:11:110:27 | document.location |
+| tst.js:110:11:110:34 | documen ... .search |
+| tst.js:110:11:110:44 | documen ... bstr(1) |
+| tst.js:113:18:113:18 | v |
+| tst.js:113:18:113:18 | v |
+| tst.js:145:29:145:43 | window.location |
+| tst.js:145:29:145:43 | window.location |
+| tst.js:145:29:145:50 | window. ... .search |
+| tst.js:148:29:148:29 | v |
+| tst.js:148:49:148:49 | v |
+| tst.js:148:49:148:49 | v |
+| tst.js:152:29:152:46 | xssSourceService() |
+| tst.js:152:29:152:46 | xssSourceService() |
+| tst.js:155:40:155:54 | window.location |
+| tst.js:155:40:155:54 | window.location |
+| tst.js:155:40:155:61 | window. ... .search |
+| tst.js:174:9:174:41 | target |
+| tst.js:174:18:174:34 | document.location |
+| tst.js:174:18:174:34 | document.location |
+| tst.js:174:18:174:41 | documen ... .search |
+| tst.js:177:28:177:33 | target |
+| tst.js:177:28:177:33 | target |
+| tst.js:181:9:181:42 | tainted |
+| tst.js:181:19:181:35 | document.location |
+| tst.js:181:19:181:35 | document.location |
+| tst.js:181:19:181:42 | documen ... .search |
+| tst.js:183:31:183:37 | tainted |
+| tst.js:183:31:183:37 | tainted |
+| tst.js:185:42:185:48 | tainted |
+| tst.js:185:42:185:48 | tainted |
+| tst.js:186:33:186:39 | tainted |
+| tst.js:186:33:186:39 | tainted |
+| tst.js:188:54:188:60 | tainted |
+| tst.js:188:54:188:60 | tainted |
+| tst.js:189:45:189:51 | tainted |
+| tst.js:189:45:189:51 | tainted |
+| tst.js:194:9:194:42 | tainted |
+| tst.js:194:19:194:35 | document.location |
+| tst.js:194:19:194:35 | document.location |
+| tst.js:194:19:194:42 | documen ... .search |
+| tst.js:196:67:196:73 | tainted |
+| tst.js:196:67:196:73 | tainted |
+| tst.js:197:67:197:73 | tainted |
+| tst.js:197:67:197:73 | tainted |
+| tst.js:201:35:201:41 | tainted |
+| tst.js:203:46:203:52 | tainted |
+| tst.js:204:38:204:44 | tainted |
+| tst.js:205:35:205:41 | tainted |
+| tst.js:209:28:209:46 | this.state.tainted1 |
+| tst.js:209:28:209:46 | this.state.tainted1 |
+| tst.js:210:28:210:46 | this.state.tainted2 |
+| tst.js:210:28:210:46 | this.state.tainted2 |
+| tst.js:211:28:211:46 | this.state.tainted3 |
+| tst.js:211:28:211:46 | this.state.tainted3 |
+| tst.js:215:32:215:49 | prevState.tainted4 |
+| tst.js:215:32:215:49 | prevState.tainted4 |
+| tst.js:222:28:222:46 | this.props.tainted1 |
+| tst.js:222:28:222:46 | this.props.tainted1 |
+| tst.js:223:28:223:46 | this.props.tainted2 |
+| tst.js:223:28:223:46 | this.props.tainted2 |
+| tst.js:224:28:224:46 | this.props.tainted3 |
+| tst.js:224:28:224:46 | this.props.tainted3 |
+| tst.js:228:32:228:49 | prevProps.tainted4 |
+| tst.js:228:32:228:49 | prevProps.tainted4 |
+| tst.js:233:35:233:41 | tainted |
+| tst.js:235:20:235:26 | tainted |
+| tst.js:237:23:237:29 | tainted |
+| tst.js:238:23:238:29 | tainted |
+| tst.js:244:39:244:55 | props.propTainted |
+| tst.js:248:60:248:82 | this.st ... Tainted |
+| tst.js:248:60:248:82 | this.st ... Tainted |
+| tst.js:252:23:252:29 | tainted |
+| tst.js:256:7:256:17 | window.name |
+| tst.js:256:7:256:17 | window.name |
+| tst.js:256:7:256:17 | window.name |
+| tst.js:257:7:257:10 | name |
+| tst.js:257:7:257:10 | name |
+| tst.js:257:7:257:10 | name |
+| tst.js:261:11:261:21 | window.name |
+| tst.js:261:11:261:21 | window.name |
+| tst.js:261:11:261:21 | window.name |
+| tst.js:277:22:277:29 | location |
+| tst.js:277:22:277:29 | location |
+| tst.js:277:22:277:29 | location |
+| tst.js:282:9:282:29 | tainted |
+| tst.js:282:19:282:29 | window.name |
+| tst.js:282:19:282:29 | window.name |
+| tst.js:285:59:285:65 | tainted |
+| tst.js:285:59:285:65 | tainted |
+| tst.js:298:9:298:16 | location |
+| tst.js:298:9:298:16 | location |
+| tst.js:299:10:299:10 | e |
+| tst.js:300:20:300:20 | e |
+| tst.js:300:20:300:20 | e |
+| tst.js:305:10:305:17 | location |
+| tst.js:305:10:305:17 | location |
+| tst.js:307:10:307:10 | e |
+| tst.js:308:20:308:20 | e |
+| tst.js:308:20:308:20 | e |
+| tst.js:313:35:313:42 | location |
+| tst.js:313:35:313:42 | location |
+| tst.js:313:35:313:42 | location |
+| typeahead.js:9:28:9:30 | loc |
+| typeahead.js:9:28:9:30 | loc |
+| typeahead.js:10:16:10:18 | loc |
+| typeahead.js:10:16:10:18 | loc |
+| typeahead.js:20:13:20:45 | target |
+| typeahead.js:20:22:20:38 | document.location |
+| typeahead.js:20:22:20:38 | document.location |
+| typeahead.js:20:22:20:45 | documen ... .search |
+| typeahead.js:21:12:21:17 | target |
+| typeahead.js:24:30:24:32 | val |
+| typeahead.js:25:18:25:20 | val |
+| typeahead.js:25:18:25:20 | val |
+| v-html.vue:2:8:2:23 | v-html=tainted |
+| v-html.vue:2:8:2:23 | v-html=tainted |
+| v-html.vue:6:42:6:58 | document.location |
+| v-html.vue:6:42:6:58 | document.location |
+| winjs.js:2:7:2:53 | tainted |
+| winjs.js:2:17:2:33 | document.location |
+| winjs.js:2:17:2:33 | document.location |
+| winjs.js:2:17:2:40 | documen ... .search |
+| winjs.js:2:17:2:53 | documen ... ring(1) |
+| winjs.js:3:43:3:49 | tainted |
+| winjs.js:3:43:3:49 | tainted |
+| winjs.js:4:43:4:49 | tainted |
+| winjs.js:4:43:4:49 | tainted |
+edges
+| addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:24 | event |
+| addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:24 | event |
+| addEventListener.js:2:20:2:24 | event | addEventListener.js:2:20:2:29 | event.data |
+| addEventListener.js:2:20:2:24 | event | addEventListener.js:2:20:2:29 | event.data |
+| addEventListener.js:5:43:5:48 | data | addEventListener.js:6:20:6:23 | data |
+| addEventListener.js:5:43:5:48 | data | addEventListener.js:6:20:6:23 | data |
+| addEventListener.js:5:43:5:48 | {data} | addEventListener.js:5:44:5:47 | data |
+| addEventListener.js:5:43:5:48 | {data} | addEventListener.js:5:44:5:47 | data |
+| addEventListener.js:5:44:5:47 | data | addEventListener.js:5:43:5:48 | data |
+| addEventListener.js:10:21:10:25 | event | addEventListener.js:12:24:12:28 | event |
+| addEventListener.js:10:21:10:25 | event | addEventListener.js:12:24:12:28 | event |
+| addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
+| addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:86:17:86:19 | foo |
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:86:17:86:19 | foo |
+| exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
+| exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
+| jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
+| jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
+| jquery.js:2:7:2:40 | tainted | jquery.js:7:20:7:26 | tainted |
+| jquery.js:2:7:2:40 | tainted | jquery.js:8:28:8:34 | tainted |
+| jquery.js:2:17:2:33 | document.location | jquery.js:2:17:2:40 | documen ... .search |
+| jquery.js:2:17:2:33 | document.location | jquery.js:2:17:2:40 | documen ... .search |
+| jquery.js:2:17:2:40 | documen ... .search | jquery.js:2:7:2:40 | tainted |
+| jquery.js:7:20:7:26 | tainted | jquery.js:7:5:7:34 | "<div i ... + "\\">" |
+| jquery.js:7:20:7:26 | tainted | jquery.js:7:5:7:34 | "<div i ... + "\\">" |
+| jquery.js:8:28:8:34 | tainted | jquery.js:8:18:8:34 | "XSS: " + tainted |
+| jquery.js:8:28:8:34 | tainted | jquery.js:8:18:8:34 | "XSS: " + tainted |
+| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
+| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
+| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
+| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
+| react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted |
+| react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted |
+| react-native.js:7:7:7:33 | tainted | react-native.js:9:27:9:33 | tainted |
+| react-native.js:7:7:7:33 | tainted | react-native.js:9:27:9:33 | tainted |
+| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted |
+| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted |
+| stored-xss.js:2:39:2:55 | document.location | stored-xss.js:2:39:2:62 | documen ... .search |
+| stored-xss.js:2:39:2:55 | document.location | stored-xss.js:2:39:2:62 | documen ... .search |
+| stored-xss.js:2:39:2:62 | documen ... .search | stored-xss.js:5:20:5:52 | session ... ssion') |
+| stored-xss.js:2:39:2:62 | documen ... .search | stored-xss.js:5:20:5:52 | session ... ssion') |
+| stored-xss.js:3:35:3:51 | document.location | stored-xss.js:3:35:3:58 | documen ... .search |
+| stored-xss.js:3:35:3:51 | document.location | stored-xss.js:3:35:3:58 | documen ... .search |
+| stored-xss.js:3:35:3:58 | documen ... .search | stored-xss.js:8:20:8:48 | localSt ... local') |
+| stored-xss.js:3:35:3:58 | documen ... .search | stored-xss.js:8:20:8:48 | localSt ... local') |
+| string-manipulations.js:3:16:3:32 | document.location | string-manipulations.js:3:16:3:32 | document.location |
+| string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href |
+| string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href |
+| string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href |
+| string-manipulations.js:4:16:4:32 | document.location | string-manipulations.js:4:16:4:37 | documen ... on.href |
+| string-manipulations.js:5:16:5:32 | document.location | string-manipulations.js:5:16:5:37 | documen ... on.href |
+| string-manipulations.js:5:16:5:32 | document.location | string-manipulations.js:5:16:5:37 | documen ... on.href |
+| string-manipulations.js:5:16:5:37 | documen ... on.href | string-manipulations.js:5:16:5:47 | documen ... lueOf() |
+| string-manipulations.js:5:16:5:37 | documen ... on.href | string-manipulations.js:5:16:5:47 | documen ... lueOf() |
+| string-manipulations.js:6:16:6:32 | document.location | string-manipulations.js:6:16:6:37 | documen ... on.href |
+| string-manipulations.js:6:16:6:32 | document.location | string-manipulations.js:6:16:6:37 | documen ... on.href |
+| string-manipulations.js:6:16:6:37 | documen ... on.href | string-manipulations.js:6:16:6:43 | documen ... f.sup() |
+| string-manipulations.js:6:16:6:37 | documen ... on.href | string-manipulations.js:6:16:6:43 | documen ... f.sup() |
+| string-manipulations.js:7:16:7:32 | document.location | string-manipulations.js:7:16:7:37 | documen ... on.href |
+| string-manipulations.js:7:16:7:32 | document.location | string-manipulations.js:7:16:7:37 | documen ... on.href |
+| string-manipulations.js:7:16:7:37 | documen ... on.href | string-manipulations.js:7:16:7:51 | documen ... rCase() |
+| string-manipulations.js:7:16:7:37 | documen ... on.href | string-manipulations.js:7:16:7:51 | documen ... rCase() |
+| string-manipulations.js:8:16:8:32 | document.location | string-manipulations.js:8:16:8:37 | documen ... on.href |
+| string-manipulations.js:8:16:8:32 | document.location | string-manipulations.js:8:16:8:37 | documen ... on.href |
+| string-manipulations.js:8:16:8:37 | documen ... on.href | string-manipulations.js:8:16:8:48 | documen ... mLeft() |
+| string-manipulations.js:8:16:8:37 | documen ... on.href | string-manipulations.js:8:16:8:48 | documen ... mLeft() |
+| string-manipulations.js:9:36:9:52 | document.location | string-manipulations.js:9:36:9:57 | documen ... on.href |
+| string-manipulations.js:9:36:9:52 | document.location | string-manipulations.js:9:36:9:57 | documen ... on.href |
+| string-manipulations.js:9:36:9:57 | documen ... on.href | string-manipulations.js:9:16:9:58 | String. ... n.href) |
+| string-manipulations.js:9:36:9:57 | documen ... on.href | string-manipulations.js:9:16:9:58 | String. ... n.href) |
+| string-manipulations.js:10:23:10:39 | document.location | string-manipulations.js:10:23:10:44 | documen ... on.href |
+| string-manipulations.js:10:23:10:39 | document.location | string-manipulations.js:10:23:10:44 | documen ... on.href |
+| string-manipulations.js:10:23:10:44 | documen ... on.href | string-manipulations.js:10:16:10:45 | String( ... n.href) |
+| string-manipulations.js:10:23:10:44 | documen ... on.href | string-manipulations.js:10:16:10:45 | String( ... n.href) |
+| translate.js:6:7:6:39 | target | translate.js:7:42:7:47 | target |
+| translate.js:6:16:6:32 | document.location | translate.js:6:16:6:39 | documen ... .search |
+| translate.js:6:16:6:32 | document.location | translate.js:6:16:6:39 | documen ... .search |
+| translate.js:6:16:6:39 | documen ... .search | translate.js:6:7:6:39 | target |
+| translate.js:7:42:7:47 | target | translate.js:7:42:7:60 | target.substring(1) |
+| translate.js:7:42:7:60 | target.substring(1) | translate.js:9:27:9:50 | searchP ... 'term') |
+| translate.js:7:42:7:60 | target.substring(1) | translate.js:9:27:9:50 | searchP ... 'term') |
+| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:4:25:4:28 | data |
+| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:5:26:5:29 | data |
+| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:7:32:7:35 | data |
+| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:9:37:9:40 | data |
+| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:10:38:10:41 | data |
+| tst3.js:2:23:2:74 | decodeU ... str(1)) | tst3.js:2:12:2:75 | JSON.pa ... tr(1))) |
+| tst3.js:2:42:2:56 | window.location | tst3.js:2:42:2:63 | window. ... .search |
+| tst3.js:2:42:2:56 | window.location | tst3.js:2:42:2:63 | window. ... .search |
+| tst3.js:2:42:2:63 | window. ... .search | tst3.js:2:42:2:73 | window. ... bstr(1) |
+| tst3.js:2:42:2:73 | window. ... bstr(1) | tst3.js:2:23:2:74 | decodeU ... str(1)) |
+| tst3.js:4:25:4:28 | data | tst3.js:4:25:4:32 | data.src |
+| tst3.js:4:25:4:28 | data | tst3.js:4:25:4:32 | data.src |
+| tst3.js:5:26:5:29 | data | tst3.js:5:26:5:31 | data.p |
+| tst3.js:5:26:5:29 | data | tst3.js:5:26:5:31 | data.p |
+| tst3.js:7:32:7:35 | data | tst3.js:7:32:7:37 | data.p |
+| tst3.js:7:32:7:35 | data | tst3.js:7:32:7:37 | data.p |
+| tst3.js:9:37:9:40 | data | tst3.js:9:37:9:42 | data.p |
+| tst3.js:9:37:9:40 | data | tst3.js:9:37:9:42 | data.p |
+| tst3.js:10:38:10:41 | data | tst3.js:10:38:10:43 | data.p |
+| tst3.js:10:38:10:41 | data | tst3.js:10:38:10:43 | data.p |
+| tst.js:2:7:2:39 | target | tst.js:5:18:5:23 | target |
+| tst.js:2:7:2:39 | target | tst.js:5:18:5:23 | target |
+| tst.js:2:7:2:39 | target | tst.js:12:28:12:33 | target |
+| tst.js:2:7:2:39 | target | tst.js:23:42:23:47 | target |
+| tst.js:2:16:2:32 | document.location | tst.js:2:16:2:39 | documen ... .search |
+| tst.js:2:16:2:32 | document.location | tst.js:2:16:2:39 | documen ... .search |
+| tst.js:2:16:2:39 | documen ... .search | tst.js:2:7:2:39 | target |
+| tst.js:8:37:8:53 | document.location | tst.js:8:37:8:58 | documen ... on.href |
+| tst.js:8:37:8:53 | document.location | tst.js:8:37:8:58 | documen ... on.href |
+| tst.js:8:37:8:58 | documen ... on.href | tst.js:8:37:8:114 | documen ... t=")+8) |
+| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "<OPTIO ... PTION>" |
+| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "<OPTIO ... PTION>" |
+| tst.js:12:28:12:33 | target | tst.js:12:5:12:42 | '<div s ...  'px">' |
+| tst.js:12:28:12:33 | target | tst.js:12:5:12:42 | '<div s ...  'px">' |
+| tst.js:19:25:19:41 | document.location | tst.js:20:18:20:35 | params.get('name') |
+| tst.js:19:25:19:41 | document.location | tst.js:20:18:20:35 | params.get('name') |
+| tst.js:19:25:19:41 | document.location | tst.js:20:18:20:35 | params.get('name') |
+| tst.js:19:25:19:41 | document.location | tst.js:20:18:20:35 | params.get('name') |
+| tst.js:23:42:23:47 | target | tst.js:23:42:23:60 | target.substring(1) |
+| tst.js:23:42:23:60 | target.substring(1) | tst.js:24:18:24:41 | searchP ... 'name') |
+| tst.js:23:42:23:60 | target.substring(1) | tst.js:24:18:24:41 | searchP ... 'name') |
+| tst.js:27:14:27:19 | target | tst.js:29:18:29:23 | target |
+| tst.js:27:14:27:19 | target | tst.js:29:18:29:23 | target |
+| tst.js:31:5:31:21 | document.location | tst.js:31:5:31:28 | documen ... .search |
+| tst.js:31:5:31:21 | document.location | tst.js:31:5:31:28 | documen ... .search |
+| tst.js:31:5:31:28 | documen ... .search | tst.js:27:14:27:19 | target |
+| tst.js:34:10:34:26 | document.location | tst.js:34:10:34:33 | documen ... .search |
+| tst.js:34:10:34:26 | document.location | tst.js:34:10:34:33 | documen ... .search |
+| tst.js:34:10:34:33 | documen ... .search | tst.js:37:16:37:20 | bar() |
+| tst.js:34:10:34:33 | documen ... .search | tst.js:37:16:37:20 | bar() |
+| tst.js:34:10:34:33 | documen ... .search | tst.js:61:26:61:30 | bar() |
+| tst.js:34:10:34:33 | documen ... .search | tst.js:71:16:71:20 | bar() |
+| tst.js:34:10:34:33 | documen ... .search | tst.js:71:16:71:20 | bar() |
+| tst.js:43:20:43:36 | document.location | tst.js:43:20:43:43 | documen ... .search |
+| tst.js:43:20:43:36 | document.location | tst.js:43:20:43:43 | documen ... .search |
+| tst.js:43:20:43:43 | documen ... .search | tst.js:43:16:43:44 | baz(doc ... search) |
+| tst.js:43:20:43:43 | documen ... .search | tst.js:43:16:43:44 | baz(doc ... search) |
+| tst.js:49:21:49:37 | document.location | tst.js:49:21:49:44 | documen ... .search |
+| tst.js:49:21:49:37 | document.location | tst.js:49:21:49:44 | documen ... .search |
+| tst.js:49:21:49:44 | documen ... .search | tst.js:49:16:49:45 | wrap(do ... search) |
+| tst.js:49:21:49:44 | documen ... .search | tst.js:49:16:49:45 | wrap(do ... search) |
+| tst.js:57:21:57:37 | document.location | tst.js:57:21:57:44 | documen ... .search |
+| tst.js:57:21:57:37 | document.location | tst.js:57:21:57:44 | documen ... .search |
+| tst.js:57:21:57:44 | documen ... .search | tst.js:57:16:57:45 | chop(do ... search) |
+| tst.js:57:21:57:44 | documen ... .search | tst.js:57:16:57:45 | chop(do ... search) |
+| tst.js:59:21:59:37 | document.location | tst.js:59:21:59:44 | documen ... .search |
+| tst.js:59:21:59:37 | document.location | tst.js:59:21:59:44 | documen ... .search |
+| tst.js:59:21:59:44 | documen ... .search | tst.js:59:16:59:45 | chop(do ... search) |
+| tst.js:59:21:59:44 | documen ... .search | tst.js:59:16:59:45 | chop(do ... search) |
+| tst.js:61:21:61:31 | chop(bar()) | tst.js:61:16:61:32 | wrap(chop(bar())) |
+| tst.js:61:21:61:31 | chop(bar()) | tst.js:61:16:61:32 | wrap(chop(bar())) |
+| tst.js:61:26:61:30 | bar() | tst.js:61:21:61:31 | chop(bar()) |
+| tst.js:63:34:63:34 | s | tst.js:65:18:65:18 | s |
+| tst.js:63:34:63:34 | s | tst.js:65:18:65:18 | s |
+| tst.js:67:25:67:41 | document.location | tst.js:67:25:67:48 | documen ... .search |
+| tst.js:67:25:67:41 | document.location | tst.js:67:25:67:48 | documen ... .search |
+| tst.js:67:25:67:48 | documen ... .search | tst.js:63:34:63:34 | s |
+| tst.js:68:25:68:41 | document.location | tst.js:68:25:68:48 | documen ... .search |
+| tst.js:68:25:68:41 | document.location | tst.js:68:25:68:48 | documen ... .search |
+| tst.js:68:25:68:48 | documen ... .search | tst.js:63:34:63:34 | s |
+| tst.js:73:1:73:27 | [,docum ... search] | tst.js:73:46:73:46 | x |
+| tst.js:73:3:73:19 | document.location | tst.js:73:3:73:26 | documen ... .search |
+| tst.js:73:3:73:19 | document.location | tst.js:73:3:73:26 | documen ... .search |
+| tst.js:73:3:73:26 | documen ... .search | tst.js:73:1:73:27 | [,docum ... search] |
+| tst.js:73:46:73:46 | x | tst.js:76:20:76:20 | x |
+| tst.js:73:46:73:46 | x | tst.js:76:20:76:20 | x |
+| tst.js:80:49:80:65 | document.location | tst.js:80:49:80:72 | documen ... .search |
+| tst.js:80:49:80:65 | document.location | tst.js:80:49:80:72 | documen ... .search |
+| tst.js:80:49:80:65 | document.location | tst.js:80:49:80:72 | documen ... .search |
+| tst.js:80:49:80:65 | document.location | tst.js:80:49:80:72 | documen ... .search |
+| tst.js:84:26:84:42 | document.location | tst.js:84:26:84:49 | documen ... .search |
+| tst.js:84:26:84:42 | document.location | tst.js:84:26:84:49 | documen ... .search |
+| tst.js:84:26:84:42 | document.location | tst.js:84:26:84:49 | documen ... .search |
+| tst.js:84:26:84:42 | document.location | tst.js:84:26:84:49 | documen ... .search |
+| tst.js:85:25:85:41 | document.location | tst.js:85:25:85:48 | documen ... .search |
+| tst.js:85:25:85:41 | document.location | tst.js:85:25:85:48 | documen ... .search |
+| tst.js:85:25:85:41 | document.location | tst.js:85:25:85:48 | documen ... .search |
+| tst.js:85:25:85:41 | document.location | tst.js:85:25:85:48 | documen ... .search |
+| tst.js:87:33:87:49 | document.location | tst.js:87:33:87:56 | documen ... .search |
+| tst.js:87:33:87:49 | document.location | tst.js:87:33:87:56 | documen ... .search |
+| tst.js:87:33:87:49 | document.location | tst.js:87:33:87:56 | documen ... .search |
+| tst.js:87:33:87:49 | document.location | tst.js:87:33:87:56 | documen ... .search |
+| tst.js:88:32:88:48 | document.location | tst.js:88:32:88:55 | documen ... .search |
+| tst.js:88:32:88:48 | document.location | tst.js:88:32:88:55 | documen ... .search |
+| tst.js:88:32:88:48 | document.location | tst.js:88:32:88:55 | documen ... .search |
+| tst.js:88:32:88:48 | document.location | tst.js:88:32:88:55 | documen ... .search |
+| tst.js:93:39:93:55 | document.location | tst.js:93:39:93:62 | documen ... .search |
+| tst.js:93:39:93:55 | document.location | tst.js:93:39:93:62 | documen ... .search |
+| tst.js:93:39:93:55 | document.location | tst.js:93:39:93:62 | documen ... .search |
+| tst.js:93:39:93:55 | document.location | tst.js:93:39:93:62 | documen ... .search |
+| tst.js:99:30:99:46 | document.location | tst.js:99:30:99:53 | documen ... .search |
+| tst.js:99:30:99:46 | document.location | tst.js:99:30:99:53 | documen ... .search |
+| tst.js:99:30:99:46 | document.location | tst.js:99:30:99:53 | documen ... .search |
+| tst.js:99:30:99:46 | document.location | tst.js:99:30:99:53 | documen ... .search |
+| tst.js:105:25:105:41 | document.location | tst.js:105:25:105:48 | documen ... .search |
+| tst.js:105:25:105:41 | document.location | tst.js:105:25:105:48 | documen ... .search |
+| tst.js:105:25:105:41 | document.location | tst.js:105:25:105:48 | documen ... .search |
+| tst.js:105:25:105:41 | document.location | tst.js:105:25:105:48 | documen ... .search |
+| tst.js:110:7:110:44 | v | tst.js:113:18:113:18 | v |
+| tst.js:110:7:110:44 | v | tst.js:113:18:113:18 | v |
+| tst.js:110:11:110:27 | document.location | tst.js:110:11:110:34 | documen ... .search |
+| tst.js:110:11:110:27 | document.location | tst.js:110:11:110:34 | documen ... .search |
+| tst.js:110:11:110:34 | documen ... .search | tst.js:110:11:110:44 | documen ... bstr(1) |
+| tst.js:110:11:110:44 | documen ... bstr(1) | tst.js:110:7:110:44 | v |
+| tst.js:145:29:145:43 | window.location | tst.js:145:29:145:50 | window. ... .search |
+| tst.js:145:29:145:43 | window.location | tst.js:145:29:145:50 | window. ... .search |
+| tst.js:145:29:145:50 | window. ... .search | tst.js:148:29:148:29 | v |
+| tst.js:148:29:148:29 | v | tst.js:148:49:148:49 | v |
+| tst.js:148:29:148:29 | v | tst.js:148:49:148:49 | v |
+| tst.js:155:40:155:54 | window.location | tst.js:155:40:155:61 | window. ... .search |
+| tst.js:155:40:155:54 | window.location | tst.js:155:40:155:61 | window. ... .search |
+| tst.js:155:40:155:61 | window. ... .search | tst.js:152:29:152:46 | xssSourceService() |
+| tst.js:155:40:155:61 | window. ... .search | tst.js:152:29:152:46 | xssSourceService() |
+| tst.js:174:9:174:41 | target | tst.js:177:28:177:33 | target |
+| tst.js:174:9:174:41 | target | tst.js:177:28:177:33 | target |
+| tst.js:174:18:174:34 | document.location | tst.js:174:18:174:41 | documen ... .search |
+| tst.js:174:18:174:34 | document.location | tst.js:174:18:174:41 | documen ... .search |
+| tst.js:174:18:174:41 | documen ... .search | tst.js:174:9:174:41 | target |
+| tst.js:181:9:181:42 | tainted | tst.js:183:31:183:37 | tainted |
+| tst.js:181:9:181:42 | tainted | tst.js:183:31:183:37 | tainted |
+| tst.js:181:9:181:42 | tainted | tst.js:185:42:185:48 | tainted |
+| tst.js:181:9:181:42 | tainted | tst.js:185:42:185:48 | tainted |
+| tst.js:181:9:181:42 | tainted | tst.js:186:33:186:39 | tainted |
+| tst.js:181:9:181:42 | tainted | tst.js:186:33:186:39 | tainted |
+| tst.js:181:9:181:42 | tainted | tst.js:188:54:188:60 | tainted |
+| tst.js:181:9:181:42 | tainted | tst.js:188:54:188:60 | tainted |
+| tst.js:181:9:181:42 | tainted | tst.js:189:45:189:51 | tainted |
+| tst.js:181:9:181:42 | tainted | tst.js:189:45:189:51 | tainted |
+| tst.js:181:19:181:35 | document.location | tst.js:181:19:181:42 | documen ... .search |
+| tst.js:181:19:181:35 | document.location | tst.js:181:19:181:42 | documen ... .search |
+| tst.js:181:19:181:42 | documen ... .search | tst.js:181:9:181:42 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:196:67:196:73 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:196:67:196:73 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:197:67:197:73 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:197:67:197:73 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:201:35:201:41 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:203:46:203:52 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:204:38:204:44 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:205:35:205:41 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:233:35:233:41 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:235:20:235:26 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:237:23:237:29 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:238:23:238:29 | tainted |
+| tst.js:194:9:194:42 | tainted | tst.js:252:23:252:29 | tainted |
+| tst.js:194:19:194:35 | document.location | tst.js:194:19:194:42 | documen ... .search |
+| tst.js:194:19:194:35 | document.location | tst.js:194:19:194:42 | documen ... .search |
+| tst.js:194:19:194:42 | documen ... .search | tst.js:194:9:194:42 | tainted |
+| tst.js:201:35:201:41 | tainted | tst.js:209:28:209:46 | this.state.tainted1 |
+| tst.js:201:35:201:41 | tainted | tst.js:209:28:209:46 | this.state.tainted1 |
+| tst.js:203:46:203:52 | tainted | tst.js:210:28:210:46 | this.state.tainted2 |
+| tst.js:203:46:203:52 | tainted | tst.js:210:28:210:46 | this.state.tainted2 |
+| tst.js:204:38:204:44 | tainted | tst.js:211:28:211:46 | this.state.tainted3 |
+| tst.js:204:38:204:44 | tainted | tst.js:211:28:211:46 | this.state.tainted3 |
+| tst.js:205:35:205:41 | tainted | tst.js:215:32:215:49 | prevState.tainted4 |
+| tst.js:205:35:205:41 | tainted | tst.js:215:32:215:49 | prevState.tainted4 |
+| tst.js:233:35:233:41 | tainted | tst.js:222:28:222:46 | this.props.tainted1 |
+| tst.js:233:35:233:41 | tainted | tst.js:222:28:222:46 | this.props.tainted1 |
+| tst.js:235:20:235:26 | tainted | tst.js:223:28:223:46 | this.props.tainted2 |
+| tst.js:235:20:235:26 | tainted | tst.js:223:28:223:46 | this.props.tainted2 |
+| tst.js:237:23:237:29 | tainted | tst.js:224:28:224:46 | this.props.tainted3 |
+| tst.js:237:23:237:29 | tainted | tst.js:224:28:224:46 | this.props.tainted3 |
+| tst.js:238:23:238:29 | tainted | tst.js:228:32:228:49 | prevProps.tainted4 |
+| tst.js:238:23:238:29 | tainted | tst.js:228:32:228:49 | prevProps.tainted4 |
+| tst.js:244:39:244:55 | props.propTainted | tst.js:248:60:248:82 | this.st ... Tainted |
+| tst.js:244:39:244:55 | props.propTainted | tst.js:248:60:248:82 | this.st ... Tainted |
+| tst.js:252:23:252:29 | tainted | tst.js:244:39:244:55 | props.propTainted |
+| tst.js:256:7:256:17 | window.name | tst.js:256:7:256:17 | window.name |
+| tst.js:257:7:257:10 | name | tst.js:257:7:257:10 | name |
+| tst.js:261:11:261:21 | window.name | tst.js:261:11:261:21 | window.name |
+| tst.js:277:22:277:29 | location | tst.js:277:22:277:29 | location |
+| tst.js:282:9:282:29 | tainted | tst.js:285:59:285:65 | tainted |
+| tst.js:282:9:282:29 | tainted | tst.js:285:59:285:65 | tainted |
+| tst.js:282:19:282:29 | window.name | tst.js:282:9:282:29 | tainted |
+| tst.js:282:19:282:29 | window.name | tst.js:282:9:282:29 | tainted |
+| tst.js:298:9:298:16 | location | tst.js:299:10:299:10 | e |
+| tst.js:298:9:298:16 | location | tst.js:299:10:299:10 | e |
+| tst.js:299:10:299:10 | e | tst.js:300:20:300:20 | e |
+| tst.js:299:10:299:10 | e | tst.js:300:20:300:20 | e |
+| tst.js:305:10:305:17 | location | tst.js:307:10:307:10 | e |
+| tst.js:305:10:305:17 | location | tst.js:307:10:307:10 | e |
+| tst.js:307:10:307:10 | e | tst.js:308:20:308:20 | e |
+| tst.js:307:10:307:10 | e | tst.js:308:20:308:20 | e |
+| tst.js:313:35:313:42 | location | tst.js:313:35:313:42 | location |
+| typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
+| typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
+| typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
+| typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
+| typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target |
+| typeahead.js:20:22:20:38 | document.location | typeahead.js:20:22:20:45 | documen ... .search |
+| typeahead.js:20:22:20:38 | document.location | typeahead.js:20:22:20:45 | documen ... .search |
+| typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target |
+| typeahead.js:21:12:21:17 | target | typeahead.js:24:30:24:32 | val |
+| typeahead.js:24:30:24:32 | val | typeahead.js:25:18:25:20 | val |
+| typeahead.js:24:30:24:32 | val | typeahead.js:25:18:25:20 | val |
+| v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
+| v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
+| v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
+| v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
+| winjs.js:2:7:2:53 | tainted | winjs.js:3:43:3:49 | tainted |
+| winjs.js:2:7:2:53 | tainted | winjs.js:3:43:3:49 | tainted |
+| winjs.js:2:7:2:53 | tainted | winjs.js:4:43:4:49 | tainted |
+| winjs.js:2:7:2:53 | tainted | winjs.js:4:43:4:49 | tainted |
+| winjs.js:2:17:2:33 | document.location | winjs.js:2:17:2:40 | documen ... .search |
+| winjs.js:2:17:2:33 | document.location | winjs.js:2:17:2:40 | documen ... .search |
+| winjs.js:2:17:2:40 | documen ... .search | winjs.js:2:17:2:53 | documen ... ring(1) |
+| winjs.js:2:17:2:53 | documen ... ring(1) | winjs.js:2:7:2:53 | tainted |
+#select
+| typeahead.js:10:16:10:18 | loc | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc | Cross-site scripting vulnerability due to $@. | typeahead.js:9:28:9:30 | loc | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssWithAdditionalSources.ql
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssWithAdditionalSources.ql
@@ -0,0 +1,24 @@
+/**
+ * @name Client-side cross-site scripting
+ * @description Writing user input directly to the DOM allows for
+ *              a cross-site scripting vulnerability.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id js/xss
+ * @tags security
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.DomBasedXss::DomBasedXss
+import DataFlow::PathGraph
+import semmle.javascript.heuristics.AdditionalSources
+
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink) and source.getNode() instanceof HeuristicSource
+select sink.getNode(), source, sink,
+  sink.getNode().(Sink).getVulnerabilityKind() + " vulnerability due to $@.", source.getNode(),
+  "user-provided value"
--- a/javascript/ql/test/query-tests/Security/CWE-079/typeahead.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/typeahead.js
@@ -0,0 +1,30 @@
+(function () {
+  var autocompleter = new Bloodhound({
+    prefetch: remoteUrl
+  })
+  autocompleter.initialize();
+  $('.typeahead').typeahead({}, {
+    source: autocompleter.ttAdapter(),
+    templates: {
+      suggestion: function(loc) {
+        return loc; // NOT OK!
+      }
+    }
+  })
+
+
+  $('.typeahead').typeahead({},
+    {
+      name: 'dashboards',
+      source: function (query, cb) {
+        var target = document.location.search
+        cb(target);
+      },
+      templates: {
+        suggestion: function(val) {
+          return val; // NOT OK 
+        }
+      }
+    }
+  )	
+})