From d1d9df772918347c46b39e2e39d73c73c192447e Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Mon, 22 Jun 2026 21:35:21 -0400 Subject: [PATCH] Address review: restrict @HostListener handler to window/document message targets Drop the plain 'message' event name from the @HostListener matcher. The postMessage 'message' event is dispatched on window and does not bubble, so an element-level @HostListener('message') does not receive cross-window messages. Keeping only 'window:message' and 'document:message' makes the model more precise and matches the accompanying comment and change note. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- javascript/ql/lib/semmle/javascript/security/dataflow/DOM.qll | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/DOM.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/DOM.qll index 98beb1141c3..3d371c47318 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/DOM.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DOM.qll @@ -197,13 +197,13 @@ class PostMessageEventHandler extends Function { ) or // Angular's `@HostListener('window:message', ['$event'])` decorator registers - // a method as a `message` event handler on the global `window`/`document` + // a method as a `message` event handler on the global `window` or `document` // target. The decorated method receives the `MessageEvent` as its first // parameter, so it is equivalent to `window.addEventListener('message', ...)`. exists(MethodDefinition method, DataFlow::CallNode decorator | decorator = DataFlow::moduleMember("@angular/core", "HostListener").getACall() and decorator = method.getADecorator().getExpression().flow() and - decorator.getArgument(0).mayHaveStringValue(["window:message", "document:message", "message"]) and + decorator.getArgument(0).mayHaveStringValue(["window:message", "document:message"]) and method.getBody() = this and paramIndex = 0 )