hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

allow flask url_for urls in TargetBlank.ql

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-10-03 14:35:54 +02:00
parent 78c58c2415
commit d6dc4bb655
2 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
javascript/ql/src/DOM/TargetBlank.ql
View File

@@ -31,7 +31,9 @@ predicate hasDynamicHrefHostAttributeValue(DOM::ElementDefinition elem) {
// fixed string with templating
url.regexpMatch(Templating::getDelimiterMatchingRegexpWithPrefix("[^?#]*")) and
// ... that does not start with a fixed host or a relative path (common formats)
not url.regexpMatch("(?i)((https?:)?//)?[-a-z0-9.]*/.*")
not url.regexpMatch("(?i)((https?:)?//)?[-a-z0-9.]*/.*") and
// .. that is not a call to `url_for` in a Flask application
not url.regexpMatch("\\{\\{\\s*url_for.*")
)
)
}

5
javascript/ql/test/query-tests/DOM/TargetBlank/tst.js
View File

@@ -58,3 +58,8 @@ function f() {
<a href="index.html/{{X}}" target="_blank">Example</a>;
<a href="../index.html/{{X}}" target="_blank">Example</a>;
<a href="/{{X}}" target="_blank">Example</a>;
// OK, Flask application with internal links
<a href="{{url_for('foo.html', 'foo')}}" target="_blank">Example</a>;
<a href="{{ url_for('foo.html', 'foo')}}" target="_blank">Example</a>;
<a href="{{ url_for('foo.html', 'foo')}}" target="_blank">Example</a>;