From d6dc4bb6553e6c04fe33d0c88fcee5803cbde305 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Sat, 3 Oct 2020 14:35:54 +0200
Subject: [PATCH] allow flask url_for urls in TargetBlank.ql

---
 javascript/ql/src/DOM/TargetBlank.ql                  | 4 +++-
 javascript/ql/test/query-tests/DOM/TargetBlank/tst.js | 5 +++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/javascript/ql/src/DOM/TargetBlank.ql b/javascript/ql/src/DOM/TargetBlank.ql
index ae2978dbdcd..c925000159f 100644
--- a/javascript/ql/src/DOM/TargetBlank.ql
+++ b/javascript/ql/src/DOM/TargetBlank.ql
@@ -31,7 +31,9 @@ predicate hasDynamicHrefHostAttributeValue(DOM::ElementDefinition elem) {
       // fixed string with templating
       url.regexpMatch(Templating::getDelimiterMatchingRegexpWithPrefix("[^?#]*")) and
       // ... that does not start with a fixed host or a relative path (common formats)
-      not url.regexpMatch("(?i)((https?:)?//)?[-a-z0-9.]*/.*")
+      not url.regexpMatch("(?i)((https?:)?//)?[-a-z0-9.]*/.*") and
+      // .. that is not a call to `url_for` in a Flask application
+      not url.regexpMatch("\\{\\{\\s*url_for.*")
     )
   )
 }
diff --git a/javascript/ql/test/query-tests/DOM/TargetBlank/tst.js b/javascript/ql/test/query-tests/DOM/TargetBlank/tst.js
index a9afbac4646..95412acac39 100644
--- a/javascript/ql/test/query-tests/DOM/TargetBlank/tst.js
+++ b/javascript/ql/test/query-tests/DOM/TargetBlank/tst.js
@@ -58,3 +58,8 @@ function f() {
 <a href="index.html/{{X}}" target="_blank">Example</a>;
 <a href="../index.html/{{X}}" target="_blank">Example</a>;
 <a href="/{{X}}" target="_blank">Example</a>;
+
+// OK, Flask application with internal links
+<a href="{{url_for('foo.html', 'foo')}}" target="_blank">Example</a>;
+<a href="{{ url_for('foo.html', 'foo')}}" target="_blank">Example</a>;
+<a href="{{ 	url_for('foo.html', 'foo')}}" target="_blank">Example</a>;
\ No newline at end of file