hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12377 from erik-krogh/jHtml

Browse Source 
JS: add the html argument to the jQuery functions as an XSS sink
This commit is contained in:
Erik Krogh Kristensen
2023-03-03 13:19:38 +01:00
committed by GitHub
parent 48c30771da a6c9af4182
commit d94e51aaf6
3 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
javascript/ql/lib/semmle/javascript/frameworks/jQuery.qll
View File

@@ -540,9 +540,9 @@ module JQuery {
JQuery::isMethodArgumentInterpretedAsHtml(name) and
node = this.getAnArgument()
or
// for `$, it's only the first one
// for `$, it's only the first one, or an "html" option
name = "$" and
node = this.getArgument(0)
node = [this.getArgument(0), this.getOptionArgument(1, "html")]
}
/**

5
javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
View File

@@ -157,6 +157,8 @@ nodes
| xss-through-dom.js:140:19:140:21 | src |
| xss-through-dom.js:141:25:141:27 | src |
| xss-through-dom.js:141:25:141:27 | src |
| xss-through-dom.js:150:24:150:26 | src |
| xss-through-dom.js:150:24:150:26 | src |
edges
| forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
| forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
@@ -257,6 +259,8 @@ edges
| xss-through-dom.js:139:11:139:52 | src | xss-through-dom.js:140:19:140:21 | src |
| xss-through-dom.js:139:11:139:52 | src | xss-through-dom.js:141:25:141:27 | src |
| xss-through-dom.js:139:11:139:52 | src | xss-through-dom.js:141:25:141:27 | src |
| xss-through-dom.js:139:11:139:52 | src | xss-through-dom.js:150:24:150:26 | src |
| xss-through-dom.js:139:11:139:52 | src | xss-through-dom.js:150:24:150:26 | src |
| xss-through-dom.js:139:17:139:52 | documen ... k").src | xss-through-dom.js:139:11:139:52 | src |
| xss-through-dom.js:139:17:139:52 | documen ... k").src | xss-through-dom.js:139:11:139:52 | src |
#select
@@ -302,3 +306,4 @@ edges
| xss-through-dom.js:132:16:132:23 | linkText | xss-through-dom.js:130:42:130:62 | dSelect ... tring() | xss-through-dom.js:132:16:132:23 | linkText | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:130:42:130:62 | dSelect ... tring() | DOM text |
| xss-through-dom.js:140:19:140:21 | src | xss-through-dom.js:139:17:139:52 | documen ... k").src | xss-through-dom.js:140:19:140:21 | src | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:139:17:139:52 | documen ... k").src | DOM text |
| xss-through-dom.js:141:25:141:27 | src | xss-through-dom.js:139:17:139:52 | documen ... k").src | xss-through-dom.js:141:25:141:27 | src | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:139:17:139:52 | documen ... k").src | DOM text |
| xss-through-dom.js:150:24:150:26 | src | xss-through-dom.js:139:17:139:52 | documen ... k").src | xss-through-dom.js:150:24:150:26 | src | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:139:17:139:52 | documen ... k").src | DOM text |

2
javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js
View File

@@ -146,4 +146,6 @@ const cashDom = require("cash-dom");
}
};
cashDom("#id").html(DOMPurify ? DOMPurify.sanitize(src) : src); // OK
$("<a />", { html: src }).appendTo("#id"); // NOT OK
})();