Merge pull request #2330 from erik-krogh/exceptionXss

JS: Added query for detecting XSS that happens through an exception
2026-04-30 19:26:02 +02:00 · 2019-11-29 09:04:45 +00:00
parent 73e08eba43 9351cd44e4
commit f958916c76
19 changed files with 598 additions and 57 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss.expected
@@ -0,0 +1,151 @@
+nodes
+| exception-xss.js:2:9:2:31 | foo |
+| exception-xss.js:2:15:2:31 | document.location |
+| exception-xss.js:2:15:2:31 | document.location |
+| exception-xss.js:9:11:9:13 | foo |
+| exception-xss.js:10:10:10:10 | e |
+| exception-xss.js:11:18:11:18 | e |
+| exception-xss.js:11:18:11:18 | e |
+| exception-xss.js:15:3:15:12 | exceptional return of inner(foo) |
+| exception-xss.js:15:9:15:11 | foo |
+| exception-xss.js:16:10:16:10 | e |
+| exception-xss.js:17:18:17:18 | e |
+| exception-xss.js:17:18:17:18 | e |
+| exception-xss.js:21:11:21:13 | foo |
+| exception-xss.js:21:11:21:21 | foo + "bar" |
+| exception-xss.js:22:10:22:10 | e |
+| exception-xss.js:23:18:23:18 | e |
+| exception-xss.js:23:18:23:18 | e |
+| exception-xss.js:33:11:33:22 | ["bar", foo] |
+| exception-xss.js:33:19:33:21 | foo |
+| exception-xss.js:34:10:34:10 | e |
+| exception-xss.js:35:18:35:18 | e |
+| exception-xss.js:35:18:35:18 | e |
+| exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) |
+| exception-xss.js:46:8:46:18 | "bar" + foo |
+| exception-xss.js:46:16:46:18 | foo |
+| exception-xss.js:47:10:47:10 | e |
+| exception-xss.js:48:18:48:18 | e |
+| exception-xss.js:48:18:48:18 | e |
+| exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) |
+| exception-xss.js:81:16:81:18 | foo |
+| exception-xss.js:82:10:82:10 | e |
+| exception-xss.js:83:18:83:18 | e |
+| exception-xss.js:83:18:83:18 | e |
+| exception-xss.js:89:11:89:13 | foo |
+| exception-xss.js:89:11:89:26 | foo.match(/foo/) |
+| exception-xss.js:90:10:90:10 | e |
+| exception-xss.js:91:18:91:18 | e |
+| exception-xss.js:91:18:91:18 | e |
+| exception-xss.js:95:11:95:22 | [foo, "bar"] |
+| exception-xss.js:95:12:95:14 | foo |
+| exception-xss.js:96:10:96:10 | e |
+| exception-xss.js:97:18:97:18 | e |
+| exception-xss.js:97:18:97:18 | e |
+| exception-xss.js:102:12:102:14 | foo |
+| exception-xss.js:106:10:106:10 | e |
+| exception-xss.js:107:18:107:18 | e |
+| exception-xss.js:107:18:107:18 | e |
+| exception-xss.js:117:13:117:25 | req.params.id |
+| exception-xss.js:117:13:117:25 | req.params.id |
+| exception-xss.js:118:11:118:11 | e |
+| exception-xss.js:119:14:119:30 | "Exception: " + e |
+| exception-xss.js:119:14:119:30 | "Exception: " + e |
+| exception-xss.js:119:30:119:30 | e |
+| exception-xss.js:125:48:125:64 | document.location |
+| exception-xss.js:125:48:125:64 | document.location |
+| exception-xss.js:125:48:125:71 | documen ... .search |
+| exception-xss.js:128:11:128:52 | session ... ssion') |
+| exception-xss.js:129:10:129:10 | e |
+| exception-xss.js:130:18:130:18 | e |
+| exception-xss.js:130:18:130:18 | e |
+| tst.js:298:9:298:16 | location |
+| tst.js:298:9:298:16 | location |
+| tst.js:299:10:299:10 | e |
+| tst.js:300:20:300:20 | e |
+| tst.js:300:20:300:20 | e |
+| tst.js:305:10:305:17 | location |
+| tst.js:305:10:305:17 | location |
+| tst.js:307:10:307:10 | e |
+| tst.js:308:20:308:20 | e |
+| tst.js:308:20:308:20 | e |
+edges
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:9:11:9:13 | foo |
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:15:9:15:11 | foo |
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:21:11:21:13 | foo |
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:33:19:33:21 | foo |
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:46:16:46:18 | foo |
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:81:16:81:18 | foo |
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:89:11:89:13 | foo |
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:95:12:95:14 | foo |
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:102:12:102:14 | foo |
+| exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
+| exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
+| exception-xss.js:9:11:9:13 | foo | exception-xss.js:10:10:10:10 | e |
+| exception-xss.js:10:10:10:10 | e | exception-xss.js:11:18:11:18 | e |
+| exception-xss.js:10:10:10:10 | e | exception-xss.js:11:18:11:18 | e |
+| exception-xss.js:15:3:15:12 | exceptional return of inner(foo) | exception-xss.js:16:10:16:10 | e |
+| exception-xss.js:15:9:15:11 | foo | exception-xss.js:15:3:15:12 | exceptional return of inner(foo) |
+| exception-xss.js:16:10:16:10 | e | exception-xss.js:17:18:17:18 | e |
+| exception-xss.js:16:10:16:10 | e | exception-xss.js:17:18:17:18 | e |
+| exception-xss.js:21:11:21:13 | foo | exception-xss.js:21:11:21:21 | foo + "bar" |
+| exception-xss.js:21:11:21:21 | foo + "bar" | exception-xss.js:22:10:22:10 | e |
+| exception-xss.js:22:10:22:10 | e | exception-xss.js:23:18:23:18 | e |
+| exception-xss.js:22:10:22:10 | e | exception-xss.js:23:18:23:18 | e |
+| exception-xss.js:33:11:33:22 | ["bar", foo] | exception-xss.js:34:10:34:10 | e |
+| exception-xss.js:33:19:33:21 | foo | exception-xss.js:33:11:33:22 | ["bar", foo] |
+| exception-xss.js:34:10:34:10 | e | exception-xss.js:35:18:35:18 | e |
+| exception-xss.js:34:10:34:10 | e | exception-xss.js:35:18:35:18 | e |
+| exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) | exception-xss.js:47:10:47:10 | e |
+| exception-xss.js:46:8:46:18 | "bar" + foo | exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) |
+| exception-xss.js:46:16:46:18 | foo | exception-xss.js:46:8:46:18 | "bar" + foo |
+| exception-xss.js:47:10:47:10 | e | exception-xss.js:48:18:48:18 | e |
+| exception-xss.js:47:10:47:10 | e | exception-xss.js:48:18:48:18 | e |
+| exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) | exception-xss.js:82:10:82:10 | e |
+| exception-xss.js:81:16:81:18 | foo | exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) |
+| exception-xss.js:82:10:82:10 | e | exception-xss.js:83:18:83:18 | e |
+| exception-xss.js:82:10:82:10 | e | exception-xss.js:83:18:83:18 | e |
+| exception-xss.js:89:11:89:13 | foo | exception-xss.js:89:11:89:26 | foo.match(/foo/) |
+| exception-xss.js:89:11:89:26 | foo.match(/foo/) | exception-xss.js:90:10:90:10 | e |
+| exception-xss.js:90:10:90:10 | e | exception-xss.js:91:18:91:18 | e |
+| exception-xss.js:90:10:90:10 | e | exception-xss.js:91:18:91:18 | e |
+| exception-xss.js:95:11:95:22 | [foo, "bar"] | exception-xss.js:96:10:96:10 | e |
+| exception-xss.js:95:12:95:14 | foo | exception-xss.js:95:11:95:22 | [foo, "bar"] |
+| exception-xss.js:96:10:96:10 | e | exception-xss.js:97:18:97:18 | e |
+| exception-xss.js:96:10:96:10 | e | exception-xss.js:97:18:97:18 | e |
+| exception-xss.js:102:12:102:14 | foo | exception-xss.js:106:10:106:10 | e |
+| exception-xss.js:106:10:106:10 | e | exception-xss.js:107:18:107:18 | e |
+| exception-xss.js:106:10:106:10 | e | exception-xss.js:107:18:107:18 | e |
+| exception-xss.js:117:13:117:25 | req.params.id | exception-xss.js:118:11:118:11 | e |
+| exception-xss.js:117:13:117:25 | req.params.id | exception-xss.js:118:11:118:11 | e |
+| exception-xss.js:118:11:118:11 | e | exception-xss.js:119:30:119:30 | e |
+| exception-xss.js:119:30:119:30 | e | exception-xss.js:119:14:119:30 | "Exception: " + e |
+| exception-xss.js:119:30:119:30 | e | exception-xss.js:119:14:119:30 | "Exception: " + e |
+| exception-xss.js:125:48:125:64 | document.location | exception-xss.js:125:48:125:71 | documen ... .search |
+| exception-xss.js:125:48:125:64 | document.location | exception-xss.js:125:48:125:71 | documen ... .search |
+| exception-xss.js:125:48:125:71 | documen ... .search | exception-xss.js:128:11:128:52 | session ... ssion') |
+| exception-xss.js:128:11:128:52 | session ... ssion') | exception-xss.js:129:10:129:10 | e |
+| exception-xss.js:129:10:129:10 | e | exception-xss.js:130:18:130:18 | e |
+| exception-xss.js:129:10:129:10 | e | exception-xss.js:130:18:130:18 | e |
+| tst.js:298:9:298:16 | location | tst.js:299:10:299:10 | e |
+| tst.js:298:9:298:16 | location | tst.js:299:10:299:10 | e |
+| tst.js:299:10:299:10 | e | tst.js:300:20:300:20 | e |
+| tst.js:299:10:299:10 | e | tst.js:300:20:300:20 | e |
+| tst.js:305:10:305:17 | location | tst.js:307:10:307:10 | e |
+| tst.js:305:10:305:17 | location | tst.js:307:10:307:10 | e |
+| tst.js:307:10:307:10 | e | tst.js:308:20:308:20 | e |
+| tst.js:307:10:307:10 | e | tst.js:308:20:308:20 | e |
+#select
+| exception-xss.js:11:18:11:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:11:18:11:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
+| exception-xss.js:17:18:17:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:17:18:17:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
+| exception-xss.js:23:18:23:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:23:18:23:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
+| exception-xss.js:35:18:35:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:35:18:35:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
+| exception-xss.js:48:18:48:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:48:18:48:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
+| exception-xss.js:83:18:83:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:83:18:83:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
+| exception-xss.js:91:18:91:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:91:18:91:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
+| exception-xss.js:97:18:97:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:97:18:97:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
+| exception-xss.js:107:18:107:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:107:18:107:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
+| exception-xss.js:119:14:119:30 | "Exception: " + e | exception-xss.js:117:13:117:25 | req.params.id | exception-xss.js:119:14:119:30 | "Exception: " + e | Cross-site scripting vulnerability due to $@. | exception-xss.js:117:13:117:25 | req.params.id | user-provided value |
+| exception-xss.js:130:18:130:18 | e | exception-xss.js:125:48:125:64 | document.location | exception-xss.js:130:18:130:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:125:48:125:64 | document.location | user-provided value |
+| tst.js:300:20:300:20 | e | tst.js:298:9:298:16 | location | tst.js:300:20:300:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:298:9:298:16 | location | user-provided value |
+| tst.js:308:20:308:20 | e | tst.js:305:10:305:17 | location | tst.js:308:20:308:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:305:10:305:17 | location | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss.qlref
@@ -0,0 +1 @@
+Security/CWE-079/ExceptionXss.ql
--- a/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected
@@ -15,6 +15,11 @@ nodes
 | addEventListener.js:12:24:12:28 | event |
 | addEventListener.js:12:24:12:33 | event.data |
 | addEventListener.js:12:24:12:33 | event.data |
+| exception-xss.js:2:9:2:31 | foo |
+| exception-xss.js:2:15:2:31 | document.location |
+| exception-xss.js:2:15:2:31 | document.location |
+| exception-xss.js:86:17:86:19 | foo |
+| exception-xss.js:86:17:86:19 | foo |
 | jquery.js:2:7:2:40 | tainted |
 | jquery.js:2:17:2:33 | document.location |
 | jquery.js:2:17:2:33 | document.location |
@@ -313,9 +318,19 @@ nodes
 | tst.js:282:19:282:29 | window.name |
 | tst.js:285:59:285:65 | tainted |
 | tst.js:285:59:285:65 | tainted |
-| tst.js:297:35:297:42 | location |
-| tst.js:297:35:297:42 | location |
-| tst.js:297:35:297:42 | location |
+| tst.js:298:9:298:16 | location |
+| tst.js:298:9:298:16 | location |
+| tst.js:299:10:299:10 | e |
+| tst.js:300:20:300:20 | e |
+| tst.js:300:20:300:20 | e |
+| tst.js:305:10:305:17 | location |
+| tst.js:305:10:305:17 | location |
+| tst.js:307:10:307:10 | e |
+| tst.js:308:20:308:20 | e |
+| tst.js:308:20:308:20 | e |
+| tst.js:313:35:313:42 | location |
+| tst.js:313:35:313:42 | location |
+| tst.js:313:35:313:42 | location |
 | v-html.vue:2:8:2:23 | v-html=tainted |
 | v-html.vue:2:8:2:23 | v-html=tainted |
 | v-html.vue:6:42:6:58 | document.location |
@@ -343,6 +358,10 @@ edges
 | addEventListener.js:10:21:10:25 | event | addEventListener.js:12:24:12:28 | event |
 | addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
 | addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:86:17:86:19 | foo |
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:86:17:86:19 | foo |
+| exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
+| exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
 | jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:7:20:7:26 | tainted |
@@ -602,7 +621,15 @@ edges
 | tst.js:282:9:282:29 | tainted | tst.js:285:59:285:65 | tainted |
 | tst.js:282:19:282:29 | window.name | tst.js:282:9:282:29 | tainted |
 | tst.js:282:19:282:29 | window.name | tst.js:282:9:282:29 | tainted |
-| tst.js:297:35:297:42 | location | tst.js:297:35:297:42 | location |
+| tst.js:298:9:298:16 | location | tst.js:299:10:299:10 | e |
+| tst.js:298:9:298:16 | location | tst.js:299:10:299:10 | e |
+| tst.js:299:10:299:10 | e | tst.js:300:20:300:20 | e |
+| tst.js:299:10:299:10 | e | tst.js:300:20:300:20 | e |
+| tst.js:305:10:305:17 | location | tst.js:307:10:307:10 | e |
+| tst.js:305:10:305:17 | location | tst.js:307:10:307:10 | e |
+| tst.js:307:10:307:10 | e | tst.js:308:20:308:20 | e |
+| tst.js:307:10:307:10 | e | tst.js:308:20:308:20 | e |
+| tst.js:313:35:313:42 | location | tst.js:313:35:313:42 | location |
 | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
 | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
 | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
@@ -619,6 +646,7 @@ edges
 | addEventListener.js:2:20:2:29 | event.data | addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:29 | event.data | Cross-site scripting vulnerability due to $@. | addEventListener.js:1:43:1:47 | event | user-provided value |
 | addEventListener.js:6:20:6:23 | data | addEventListener.js:5:43:5:48 | {data} | addEventListener.js:6:20:6:23 | data | Cross-site scripting vulnerability due to $@. | addEventListener.js:5:43:5:48 | {data} | user-provided value |
 | addEventListener.js:12:24:12:33 | event.data | addEventListener.js:10:21:10:25 | event | addEventListener.js:12:24:12:33 | event.data | Cross-site scripting vulnerability due to $@. | addEventListener.js:10:21:10:25 | event | user-provided value |
+| exception-xss.js:86:17:86:19 | foo | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:86:17:86:19 | foo | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
 | jquery.js:4:5:4:11 | tainted | jquery.js:2:17:2:33 | document.location | jquery.js:4:5:4:11 | tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
 | jquery.js:7:5:7:34 | "<div i ... + "\\">" | jquery.js:2:17:2:33 | document.location | jquery.js:7:5:7:34 | "<div i ... + "\\">" | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
 | jquery.js:8:18:8:34 | "XSS: " + tainted | jquery.js:2:17:2:33 | document.location | jquery.js:8:18:8:34 | "XSS: " + tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
@@ -690,7 +718,9 @@ edges
 | tst.js:261:11:261:21 | window.name | tst.js:261:11:261:21 | window.name | tst.js:261:11:261:21 | window.name | Cross-site scripting vulnerability due to $@. | tst.js:261:11:261:21 | window.name | user-provided value |
 | tst.js:277:22:277:29 | location | tst.js:277:22:277:29 | location | tst.js:277:22:277:29 | location | Cross-site scripting vulnerability due to $@. | tst.js:277:22:277:29 | location | user-provided value |
 | tst.js:285:59:285:65 | tainted | tst.js:282:19:282:29 | window.name | tst.js:285:59:285:65 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:282:19:282:29 | window.name | user-provided value |
-| tst.js:297:35:297:42 | location | tst.js:297:35:297:42 | location | tst.js:297:35:297:42 | location | Cross-site scripting vulnerability due to $@. | tst.js:297:35:297:42 | location | user-provided value |
+| tst.js:300:20:300:20 | e | tst.js:298:9:298:16 | location | tst.js:300:20:300:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:298:9:298:16 | location | user-provided value |
+| tst.js:308:20:308:20 | e | tst.js:305:10:305:17 | location | tst.js:308:20:308:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:305:10:305:17 | location | user-provided value |
+| tst.js:313:35:313:42 | location | tst.js:313:35:313:42 | location | tst.js:313:35:313:42 | location | Cross-site scripting vulnerability due to $@. | tst.js:313:35:313:42 | location | user-provided value |
 | v-html.vue:2:8:2:23 | v-html=tainted | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | Cross-site scripting vulnerability due to $@. | v-html.vue:6:42:6:58 | document.location | user-provided value |
 | winjs.js:3:43:3:49 | tainted | winjs.js:2:17:2:33 | document.location | winjs.js:3:43:3:49 | tainted | Cross-site scripting vulnerability due to $@. | winjs.js:2:17:2:33 | document.location | user-provided value |
 | winjs.js:4:43:4:49 | tainted | winjs.js:2:17:2:33 | document.location | winjs.js:4:43:4:49 | tainted | Cross-site scripting vulnerability due to $@. | winjs.js:2:17:2:33 | document.location | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-079/exception-xss.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/exception-xss.js
@@ -0,0 +1,132 @@
+(function() {
+    var foo = document.location;
+    
+    function inner(x) {
+    	unknown(x);
+	}
+
+	try {
+		unknown(foo);
+	} catch(e) {
+		$('myId').html(e); // NOT OK!
+	}
+	
+	try {
+		inner(foo);
+	} catch(e) {
+		$('myId').html(e); // NOT OK!
+	}
+	
+	try {
+		unknown(foo + "bar");
+	} catch(e) {
+		$('myId').html(e); // NOT OK!
+	}
+	
+	try {
+		unknown({prop: foo});
+	} catch(e) {
+		$('myId').html(e); // We don't flag this for now.
+	}
+	
+	try {
+		unknown(["bar", foo]);
+	} catch(e) {
+		$('myId').html(e); // NOT OK!
+	}
+	
+	function deep(x) {
+		deep2(x);
+	}
+	function deep2(x) {
+		inner(x);
+	}
+	
+	try {
+		deep("bar" + foo);
+	} catch(e) {
+		$('myId').html(e); // NOT OK!
+	}
+	
+	try {
+		var tmp = "bar" + foo;
+	} catch(e) {
+		$('myId').html(e); // OK 
+	}
+	
+	function safe(x) {
+		var foo = x + "bar";
+	}
+	
+	try {
+		safe(foo);
+	} catch(e) {
+		$('myId').html(e); // OK 
+	}
+	
+	try {
+		safe.call(null, foo);
+	} catch(e) {
+		$('myId').html(e); // OK 
+	}
+	var myWeirdInner;
+	try {
+		myWeirdInner = function (x) {
+			inner(x);
+		}		
+	} catch(e) {
+		$('myId').html(e); // OK 
+	}
+	try {
+		myWeirdInner(foo);
+	} catch(e) {
+		$('myId').html(e); // NOT OK! 
+	}
+	
+	$('myId').html(foo); // Direct leak, reported by other query.
+	
+	try {
+		unknown(foo.match(/foo/));
+	} catch(e) {
+		$('myId').html(e); // NOT OK! 
+	}
+	
+	try {
+		unknown([foo, "bar"]);
+	} catch(e) {
+		$('myId').html(e); // NOT OK! 
+	}
+
+	try {
+		try {
+			unknown(foo);
+		} finally {
+			// nothing
+		}
+	} catch(e) {
+		$('myId').html(e); // NOT OK! 
+	}
+});
+
+var express = require('express');
+
+var app = express();
+
+app.get('/user/:id', function(req, res) {
+  try {
+    unknown(req.params.id);
+  } catch(e) {
+    res.send("Exception: " + e); // NOT OK!
+  }
+});
+
+
+(function () {
+    sessionStorage.setItem('exceptionSession', document.location.search);
+
+	try {
+		unknown(sessionStorage.getItem('exceptionSession'));
+	} catch(e) {
+		$('myId').html(e); // NOT OK
+	}
+})();
--- a/javascript/ql/test/query-tests/Security/CWE-079/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/tst.js
@@ -293,6 +293,22 @@ function flowThroughPropertyNames() {
      $(p); // OK
 }

+function basicExceptions() {
+	try {
+		throw location;
+	} catch(e) {
+		$("body").append(e); // NOT OK
+	}
+
+	try {
+		try {
+			throw location
+		} finally {}
+	} catch(e) {
+		$("body").append(e); // NOT OK
+	}
+}
+
 function handlebarsSafeString() {
 	return new Handlebars.SafeString(location); // NOT OK!	
 }