hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
tausbn/python-refine-location-of-flask-request-sources
codeql/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js
Asger F 64d39da5f8 JS: Accept Sources/Sink tags
2025-02-28 13:29:30 +01:00

120 lines
3.7 KiB
JavaScript
Raw Permalink Blame History

module.exports.xssThroughHTMLConstruction = function (s) { // $ Source
const html = "<span>" + s + "</span>";// $ Alert
document.querySelector("#html").innerHTML = html;
}
module.exports.xssThroughXMLParsing = function (s) { // $ Source
const doc = new DOMParser().parseFromString(s, "text/xml"); // $ Alert
document.querySelector("#xml").appendChild(doc.documentElement);
}
module.exports.xssThroughMoreComplexXMLParsing = function (s) { // $ Source
const doc = new DOMParser().parseFromString(s, "text/xml"); // $ Alert
const xml = doc.documentElement;
const tmp = document.createElement('span');
tmp.appendChild(xml.cloneNode());
document.querySelector("#xml").appendChild(tmp);
}
const markdown = require('markdown-it')({html: true});
module.exports.xssThroughMarkdown = function (s) { // $ Source
const html = markdown.render(s); // $ Alert
document.querySelector("#markdown").innerHTML = html;
}
const striptags = require('striptags');
module.exports.sanitizedHTML = function (s) {
const html = striptags("<span>" + s + "</span>");
document.querySelector("#sanitized").innerHTML = html;
}
module.exports.ts = require("./typed");
module.exports.jquery = require("./jquery-plugin");
module.exports.plainDOMXMLParsing = function (s) {
const doc = new DOMParser().parseFromString(s, "text/xml"); // OK - is never added to the DOM.
}
class Foo {
constructor(s) {
this.step = s;
}
doXss() {
// not called here, but still bad.
document.querySelector("#class").innerHTML = "<span>" + this.step + "</span>"; // $ MISSING: Alert - needs localFieldStep
}
}
module.exports.createsClass = function (s) {
return new Foo(s);
}
$.fn.xssPlugin = function (options) { // $ Source
const defaults = {
name: "name"
};
const settings = $.extend(defaults, options);
return this.each(function () {
$("<b>" + settings.name + "</b>").appendTo(this); // $ Alert
});
}
module.exports.guards = function (attrVal) { // $ Source
document.querySelector("#id").innerHTML = "<img alt=\"" + attrVal + "\"/>"; // $ Alert
document.querySelector("#id").innerHTML = "<img alt=\"" + attrVal.replace(/"|'/g, "") + "\"/>";
if (attrVal.indexOf("\"") === -1 && attrVal.indexOf("'") === -1) {
document.querySelector("#id").innerHTML = "<img alt=\"" + attrVal + "\"/>";
}
}
module.exports.intentionalTemplate = function (obj) {
const html = "<span>" + obj.spanTemplate + "</span>";
document.querySelector("#template").innerHTML = html;
}
module.exports.types = function (val) { // $ Source
if (typeof val === "string") {
$("#foo").html("<span>" + val + "</span>"); // $ Alert
} else if (typeof val === "number") {
$("#foo").html("<span>" + val + "</span>");
} else if (typeof val === "boolean") {
$("#foo").html("<span>" + val + "</span>");
}
}
function createHTML(x) {
return "<span>" + x + "</span>"; // $ Alert
}
module.exports.usesCreateHTML = function (x) { // $ Source
$("#foo").html(createHTML(x));
}
const myMermaid = require('mermaid');
module.exports.usesCreateHTML = function (x) { // $ Source
myMermaid.render("id", x, function (svg) { // $ Alert
$("#foo").html(svg);
});
$("#foo").html(myMermaid.render("id", x)); // $ Alert
mermaid.render("id", x, function (svg) {// $ Alert
$("#foo").html(svg);
});
$("#foo").html(mermaid.render("id", x)); // $ Alert
mermaid.mermaidAPI.render("id", x, function (svg) {// $ Alert
$("#foo").html(svg);
});
}
module.exports.xssThroughMarkdown = function (s) { // $ Source
const html = markdown.render(s); // $ Alert
document.querySelector("#markdown").innerHTML = html;
}
Reference in New Issue View Git Blame Copy Permalink