hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
cs/assembly-prefix
codeql/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssGood.js
Esben Sparre Andreasen 59b7b0757a JS: make Express' res/req extend Node's res/req
2019-06-12 12:45:01 +02:00

52 lines
1.3 KiB
JavaScript
Raw Permalink Blame History

var escape = require('escape-html');
var express = require('express');
var app = express();
app.get('/user/:id', function(req, res) {
if (!isValidUserId(req.params.id))
// GOOD: request parameter is sanitized before incorporating it into the response
res.send("Unknown user: " + escape(req.params.id));
else
// TODO: do something exciting
;
});
app.get('/user/:id', function(req, res) {
if (!isValidUserId(req.params.id))
// GOOD: templating prevents XSS
res.render(invalidUserIdTemplate, { id: req.params.id });
});
app.get('/user/:id', function(req, res) {
if (!isValidUserId(req.params.id)) {
// GOOD: response content type set to text
res.set('Content-Type', 'text/plain');
res.send("Unknown user: " + req.params.id);
} else
// TODO: do something exciting
;
});
function textContentType() {
result = "text/plain";
}
app.get('/user/:id', function(req, res) {
if (!isValidUserId(req.params.id)) {
// GOOD: response content type set to text
res.set('Content-Type', textContentType());
res.send("Unknown user: " + req.params.id);
} else
// TODO: do something exciting
;
});
app.get('/echo', function(req, res) {
var msg = req.params.msg;
res.setHeader('Content-Type', 'application/json');
res.setHeader('Content-Length', msg.length);
res.end(msg);
});
Reference in New Issue View Git Blame Copy Permalink