mirror of
https://github.com/github/codeql.git
synced 2025-12-21 03:06:31 +01:00
22 lines
1.6 KiB
HTML
22 lines
1.6 KiB
HTML
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
</head>
|
|
<body>
|
|
<script src="http://test.local/foo.js"></script>> <!-- $ Alert[js/functionality-from-untrusted-source] -->
|
|
<script src="http://test.local/foo.js" integrity="some-integrity-hash"></script>> <!-- OK - integrity digest present -->
|
|
<script src="https://test.local/bar.js"></script>> <!-- OK - https -->
|
|
<iframe src="http://test.local/foo.html"></iframe> <!-- $ Alert[js/functionality-from-untrusted-source] -->
|
|
<iframe src="https://test.local/foo.html"></iframe> <!-- OK - https -->
|
|
<iframe src="//test.local/foo.html"></iframe> <!-- OK (protocol-relative url is allowed as a http url of
|
|
the page is vulnerable in the first place) -->
|
|
<iframe src="http://::1/foo.html"></iframe> <!-- OK - localhost -->
|
|
<iframe src="http://[::1]:80/foo.html"></iframe> <!-- OK - localhost -->
|
|
<iframe src="http://127.0.0.1:444/foo.html"></iframe> <!-- OK - localhost -->
|
|
|
|
<!-- Some CDNs recommend using the integrity attribute — for those, we demand it even with https links -->
|
|
<!-- OK - digest present -->
|
|
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.2/angular.min.js" integrity="sha512-7oYXeK0OxTFxndh0erL8FsjGvrl2VMDor6fVqzlLGfwOQQqTbYsGPv4ZZ15QHfSk80doyaM0ZJdvkyDcVO7KFA==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
|
|
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.2/angular.min.js" crossorigin="anonymous" referrerpolicy="no-referrer"></script> <!-- $ Alert[js/functionality-from-untrusted-source] - digest missing -->
|
|
</body>
|
|
</html> |