allow urls that are prefixed with # or ? in js/unsafe-external-link

2025-12-22 03:36:30 +01:00 · 2020-08-31 16:02:25 +02:00
parent f7edf28d0d
commit f0a0f41c3c
3 changed files with 17 additions and 1 deletions
--- a/javascript/ql/src/DOM/TargetBlank.ql
+++ b/javascript/ql/src/DOM/TargetBlank.ql
@@ -29,7 +29,7 @@ predicate hasDynamicHrefHostAttributeValue(DOM::ElementDefinition elem) {
    or
    exists(string url | url = attr.getStringValue() |
      // fixed string with templating
-      url.regexpMatch(Templating::getDelimiterMatchingRegexp()) and
+      url.regexpMatch(Templating::getDelimiterMatchingRegexpWithPrefix("[^?#]*")) and
      // ... that does not start with a fixed host or a relative path (common formats)
      not url.regexpMatch("(?i)((https?:)?//)?[-a-z0-9.]*/.*") and
      // ... that is not a mailto: link