mirror of
https://github.com/github/codeql.git
synced 2026-04-25 16:55:19 +02:00
Add dot.jssupport
Co-authored-by: Kevin Stubbings <Kwstubbs@users.noreply.github.com>
This commit is contained in:
@@ -103,7 +103,7 @@ public class FileExtractor {
|
||||
|
||||
/** Information about supported file types. */
|
||||
public static enum FileType {
|
||||
HTML(".htm", ".html", ".xhtm", ".xhtml", ".vue", ".hbs", ".ejs", ".njk", ".erb") {
|
||||
HTML(".htm", ".html", ".xhtm", ".xhtml", ".vue", ".hbs", ".ejs", ".njk", ".erb", ".dot") {
|
||||
@Override
|
||||
public IExtractor mkExtractor(ExtractorConfig config, ExtractorState state) {
|
||||
return new HTMLExtractor(config, state);
|
||||
|
||||
@@ -580,6 +580,22 @@ module Templating {
|
||||
override string getAPackageName() { result = "ejs" }
|
||||
}
|
||||
|
||||
/**
|
||||
* doT-style syntax, using `{{! }}` for safe interpolation, and `{{= }}` for
|
||||
* unsafe interpolation.
|
||||
*/
|
||||
private class DotStyleSyntax extends TemplateSyntax {
|
||||
DotStyleSyntax() { this = "dot" }
|
||||
|
||||
override string getRawInterpolationRegexp() { result = "(?s)\\{\\{!(.*?)\\}\\}" }
|
||||
|
||||
override string getEscapingInterpolationRegexp() { result = "(?s)\\{\\{=(.*?)\\}\\}" }
|
||||
|
||||
override string getAFileExtension() { result = "dot" }
|
||||
|
||||
override string getAPackageName() { result = "dot" }
|
||||
}
|
||||
|
||||
private TemplateSyntax getOwnTemplateSyntaxInFolder(Folder f) {
|
||||
exists(PackageDependencies deps |
|
||||
deps.getADependency(result.getAPackageName(), _) and
|
||||
|
||||
@@ -66,3 +66,9 @@ app.get('/angularjs', (req, res) => {
|
||||
rawHtml: req.query.rawHtml,
|
||||
});
|
||||
});
|
||||
|
||||
app.get('/dotjs', (req, res) => {
|
||||
res.render('dot_sinks', {
|
||||
tainted: req.query.foo,
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,6 @@
|
||||
<html>
|
||||
<body>
|
||||
{{! tainted }}
|
||||
{{= tainted }}
|
||||
</body>
|
||||
</html>
|
||||
Reference in New Issue
Block a user