mirror of
https://github.com/github/codeql.git
synced 2025-12-16 16:53:25 +01:00
507 lines
52 KiB
Plaintext
507 lines
52 KiB
Plaintext
#select
|
|
| ReflectedXss.js:7:14:7:45 | "Unknow ... rams.id | ReflectedXss.js:7:33:7:45 | req.params.id | ReflectedXss.js:7:14:7:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:7:33:7:45 | req.params.id | user-provided value |
|
|
| ReflectedXss.js:16:12:16:39 | "Unknow ... rams.id | ReflectedXss.js:16:31:16:39 | params.id | ReflectedXss.js:16:12:16:39 | "Unknow ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:16:31:16:39 | params.id | user-provided value |
|
|
| ReflectedXss.js:21:12:21:19 | req.body | ReflectedXss.js:21:12:21:19 | req.body | ReflectedXss.js:21:12:21:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:21:12:21:19 | req.body | user-provided value |
|
|
| ReflectedXss.js:22:12:22:27 | marked(req.body) | ReflectedXss.js:22:19:22:26 | req.body | ReflectedXss.js:22:12:22:27 | marked(req.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:22:19:22:26 | req.body | user-provided value |
|
|
| ReflectedXss.js:28:12:28:19 | req.body | ReflectedXss.js:28:12:28:19 | req.body | ReflectedXss.js:28:12:28:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:28:12:28:19 | req.body | user-provided value |
|
|
| ReflectedXss.js:33:12:33:18 | mytable | ReflectedXss.js:31:14:31:21 | req.body | ReflectedXss.js:33:12:33:18 | mytable | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:31:14:31:21 | req.body | user-provided value |
|
|
| ReflectedXss.js:40:12:40:19 | req.body | ReflectedXss.js:40:12:40:19 | req.body | ReflectedXss.js:40:12:40:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:40:12:40:19 | req.body | user-provided value |
|
|
| ReflectedXss.js:41:12:41:39 | convert ... q.body) | ReflectedXss.js:41:31:41:38 | req.body | ReflectedXss.js:41:12:41:39 | convert ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:41:31:41:38 | req.body | user-provided value |
|
|
| ReflectedXss.js:55:12:55:19 | req.body | ReflectedXss.js:55:12:55:19 | req.body | ReflectedXss.js:55:12:55:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:55:12:55:19 | req.body | user-provided value |
|
|
| ReflectedXss.js:64:16:64:19 | file | ReflectedXss.js:63:14:63:21 | req.body | ReflectedXss.js:64:16:64:19 | file | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:63:14:63:21 | req.body | user-provided value |
|
|
| ReflectedXss.js:67:12:67:52 | remark( ... tring() | ReflectedXss.js:67:33:67:40 | req.body | ReflectedXss.js:67:12:67:52 | remark( ... tring() | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:67:33:67:40 | req.body | user-provided value |
|
|
| ReflectedXss.js:71:12:71:65 | unified ... oString | ReflectedXss.js:71:48:71:55 | req.body | ReflectedXss.js:71:12:71:65 | unified ... oString | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:71:48:71:55 | req.body | user-provided value |
|
|
| ReflectedXss.js:74:14:74:14 | f | ReflectedXss.js:73:20:73:27 | req.body | ReflectedXss.js:74:14:74:14 | f | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:73:20:73:27 | req.body | user-provided value |
|
|
| ReflectedXss.js:82:12:82:19 | req.body | ReflectedXss.js:82:12:82:19 | req.body | ReflectedXss.js:82:12:82:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:82:12:82:19 | req.body | user-provided value |
|
|
| ReflectedXss.js:83:12:83:30 | snarkdown(req.body) | ReflectedXss.js:83:22:83:29 | req.body | ReflectedXss.js:83:12:83:30 | snarkdown(req.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:83:22:83:29 | req.body | user-provided value |
|
|
| ReflectedXss.js:84:12:84:31 | snarkdown2(req.body) | ReflectedXss.js:84:23:84:30 | req.body | ReflectedXss.js:84:12:84:31 | snarkdown2(req.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:84:23:84:30 | req.body | user-provided value |
|
|
| ReflectedXss.js:96:12:96:19 | req.body | ReflectedXss.js:96:12:96:19 | req.body | ReflectedXss.js:96:12:96:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:96:12:96:19 | req.body | user-provided value |
|
|
| ReflectedXss.js:97:12:97:38 | markdow ... q.body) | ReflectedXss.js:97:30:97:37 | req.body | ReflectedXss.js:97:12:97:38 | markdow ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:97:30:97:37 | req.body | user-provided value |
|
|
| ReflectedXss.js:99:12:99:39 | markdow ... q.body) | ReflectedXss.js:99:31:99:38 | req.body | ReflectedXss.js:99:12:99:39 | markdow ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:99:31:99:38 | req.body | user-provided value |
|
|
| ReflectedXss.js:102:12:102:84 | markdow ... q.body) | ReflectedXss.js:102:76:102:83 | req.body | ReflectedXss.js:102:12:102:84 | markdow ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:102:76:102:83 | req.body | user-provided value |
|
|
| ReflectedXss.js:109:16:109:30 | request.query.p | ReflectedXss.js:109:16:109:30 | request.query.p | ReflectedXss.js:109:16:109:30 | request.query.p | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:109:16:109:30 | request.query.p | user-provided value |
|
|
| ReflectedXss.js:121:30:121:73 | `${inva ... telist` | ReflectedXss.js:113:13:113:27 | keys: queryKeys | ReflectedXss.js:121:30:121:73 | `${inva ... telist` | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:113:13:113:27 | keys: queryKeys | user-provided value |
|
|
| ReflectedXss.js:121:30:121:73 | `${inva ... telist` | ReflectedXss.js:115:31:115:45 | paramKeys?.keys | ReflectedXss.js:121:30:121:73 | `${inva ... telist` | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:115:31:115:45 | paramKeys?.keys | user-provided value |
|
|
| ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value |
|
|
| ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
|
|
| ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |
|
|
| ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | user-provided value |
|
|
| ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | ReflectedXssGood3.js:135:15:135:27 | req.params.id | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | Cross-site scripting vulnerability due to a $@. | ReflectedXssGood3.js:135:15:135:27 | req.params.id | user-provided value |
|
|
| app/api/route.ts:5:18:5:21 | body | app/api/route.ts:2:24:2:33 | req.json() | app/api/route.ts:5:18:5:21 | body | Cross-site scripting vulnerability due to a $@. | app/api/route.ts:2:24:2:33 | req.json() | user-provided value |
|
|
| app/api/route.ts:13:18:13:21 | body | app/api/route.ts:2:24:2:33 | req.json() | app/api/route.ts:13:18:13:21 | body | Cross-site scripting vulnerability due to a $@. | app/api/route.ts:2:24:2:33 | req.json() | user-provided value |
|
|
| app/api/route.ts:25:18:25:21 | body | app/api/route.ts:2:24:2:33 | req.json() | app/api/route.ts:25:18:25:21 | body | Cross-site scripting vulnerability due to a $@. | app/api/route.ts:2:24:2:33 | req.json() | user-provided value |
|
|
| app/api/route.ts:29:25:29:28 | body | app/api/route.ts:2:24:2:33 | req.json() | app/api/route.ts:29:25:29:28 | body | Cross-site scripting vulnerability due to a $@. | app/api/route.ts:2:24:2:33 | req.json() | user-provided value |
|
|
| app/api/routeNextRequest.ts:7:20:7:23 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:7:20:7:23 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
|
|
| app/api/routeNextRequest.ts:15:20:15:23 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:15:20:15:23 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
|
|
| app/api/routeNextRequest.ts:27:20:27:23 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:27:20:27:23 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
|
|
| app/api/routeNextRequest.ts:31:27:31:30 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:31:27:31:30 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
|
|
| app/pages/Next2.jsx:8:13:8:19 | req.url | app/pages/Next2.jsx:8:13:8:19 | req.url | app/pages/Next2.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to a $@. | app/pages/Next2.jsx:8:13:8:19 | req.url | user-provided value |
|
|
| app/pages/Next2.jsx:15:13:15:19 | req.url | app/pages/Next2.jsx:15:13:15:19 | req.url | app/pages/Next2.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to a $@. | app/pages/Next2.jsx:15:13:15:19 | req.url | user-provided value |
|
|
| etherpad.js:11:12:11:19 | response | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:11:12:11:19 | response | Cross-site scripting vulnerability due to a $@. | etherpad.js:9:16:9:30 | req.query.jsonp | user-provided value |
|
|
| formatting.js:6:14:6:47 | util.fo ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to a $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
|
|
| formatting.js:7:14:7:53 | require ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to a $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
|
|
| live-server.js:6:13:6:50 | `<html> ... /html>` | live-server.js:4:21:4:27 | req.url | live-server.js:6:13:6:50 | `<html> ... /html>` | Cross-site scripting vulnerability due to a $@. | live-server.js:4:21:4:27 | req.url | user-provided value |
|
|
| live-server.js:12:13:12:50 | `<html> ... /html>` | live-server.js:10:21:10:27 | req.url | live-server.js:12:13:12:50 | `<html> ... /html>` | Cross-site scripting vulnerability due to a $@. | live-server.js:10:21:10:27 | req.url | user-provided value |
|
|
| pages/Next.jsx:8:13:8:19 | req.url | pages/Next.jsx:8:13:8:19 | req.url | pages/Next.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to a $@. | pages/Next.jsx:8:13:8:19 | req.url | user-provided value |
|
|
| pages/Next.jsx:15:13:15:19 | req.url | pages/Next.jsx:15:13:15:19 | req.url | pages/Next.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to a $@. | pages/Next.jsx:15:13:15:19 | req.url | user-provided value |
|
|
| pages/api/myapi.js:2:14:2:20 | req.url | pages/api/myapi.js:2:14:2:20 | req.url | pages/api/myapi.js:2:14:2:20 | req.url | Cross-site scripting vulnerability due to a $@. | pages/api/myapi.js:2:14:2:20 | req.url | user-provided value |
|
|
| partial.js:10:14:10:18 | x + y | partial.js:13:42:13:48 | req.url | partial.js:10:14:10:18 | x + y | Cross-site scripting vulnerability due to a $@. | partial.js:13:42:13:48 | req.url | user-provided value |
|
|
| partial.js:19:14:19:18 | x + y | partial.js:22:51:22:57 | req.url | partial.js:19:14:19:18 | x + y | Cross-site scripting vulnerability due to a $@. | partial.js:22:51:22:57 | req.url | user-provided value |
|
|
| partial.js:28:14:28:18 | x + y | partial.js:31:47:31:53 | req.url | partial.js:28:14:28:18 | x + y | Cross-site scripting vulnerability due to a $@. | partial.js:31:47:31:53 | req.url | user-provided value |
|
|
| partial.js:37:14:37:18 | x + y | partial.js:40:43:40:49 | req.url | partial.js:37:14:37:18 | x + y | Cross-site scripting vulnerability due to a $@. | partial.js:40:43:40:49 | req.url | user-provided value |
|
|
| promises.js:6:25:6:25 | x | promises.js:5:44:5:57 | req.query.data | promises.js:6:25:6:25 | x | Cross-site scripting vulnerability due to a $@. | promises.js:5:44:5:57 | req.query.data | user-provided value |
|
|
| response-object.js:9:18:9:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:9:18:9:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
|
|
| response-object.js:10:18:10:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:10:18:10:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
|
|
| response-object.js:11:18:11:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:11:18:11:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
|
|
| response-object.js:14:18:14:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:14:18:14:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
|
|
| response-object.js:17:18:17:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:17:18:17:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
|
|
| response-object.js:23:18:23:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:23:18:23:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
|
|
| response-object.js:26:18:26:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:26:18:26:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
|
|
| response-object.js:34:18:34:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:34:18:34:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
|
|
| response-object.js:38:18:38:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:38:18:38:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
|
|
| tst2.js:7:12:7:12 | p | tst2.js:6:9:6:9 | p | tst2.js:7:12:7:12 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:6:9:6:9 | p | user-provided value |
|
|
| tst2.js:8:12:8:12 | r | tst2.js:6:12:6:15 | q: r | tst2.js:8:12:8:12 | r | Cross-site scripting vulnerability due to a $@. | tst2.js:6:12:6:15 | q: r | user-provided value |
|
|
| tst2.js:18:12:18:12 | p | tst2.js:14:9:14:9 | p | tst2.js:18:12:18:12 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:14:9:14:9 | p | user-provided value |
|
|
| tst2.js:21:14:21:14 | p | tst2.js:14:9:14:9 | p | tst2.js:21:14:21:14 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:14:9:14:9 | p | user-provided value |
|
|
| tst2.js:36:12:36:12 | p | tst2.js:30:9:30:9 | p | tst2.js:36:12:36:12 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:30:9:30:9 | p | user-provided value |
|
|
| tst2.js:37:12:37:18 | other.p | tst2.js:30:9:30:9 | p | tst2.js:37:12:37:18 | other.p | Cross-site scripting vulnerability due to a $@. | tst2.js:30:9:30:9 | p | user-provided value |
|
|
| tst2.js:51:12:51:17 | unsafe | tst2.js:43:9:43:9 | p | tst2.js:51:12:51:17 | unsafe | Cross-site scripting vulnerability due to a $@. | tst2.js:43:9:43:9 | p | user-provided value |
|
|
| tst2.js:63:12:63:12 | p | tst2.js:57:9:57:9 | p | tst2.js:63:12:63:12 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:57:9:57:9 | p | user-provided value |
|
|
| tst2.js:64:12:64:18 | other.p | tst2.js:57:9:57:9 | p | tst2.js:64:12:64:18 | other.p | Cross-site scripting vulnerability due to a $@. | tst2.js:57:9:57:9 | p | user-provided value |
|
|
| tst2.js:75:12:75:12 | p | tst2.js:69:9:69:9 | p | tst2.js:75:12:75:12 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:69:9:69:9 | p | user-provided value |
|
|
| tst2.js:76:12:76:18 | other.p | tst2.js:69:9:69:9 | p | tst2.js:76:12:76:18 | other.p | Cross-site scripting vulnerability due to a $@. | tst2.js:69:9:69:9 | p | user-provided value |
|
|
| tst2.js:88:12:88:12 | p | tst2.js:82:9:82:9 | p | tst2.js:88:12:88:12 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:82:9:82:9 | p | user-provided value |
|
|
| tst2.js:89:12:89:18 | other.p | tst2.js:82:9:82:9 | p | tst2.js:89:12:89:18 | other.p | Cross-site scripting vulnerability due to a $@. | tst2.js:82:9:82:9 | p | user-provided value |
|
|
| tst2.js:101:12:101:17 | unsafe | tst2.js:93:9:93:9 | p | tst2.js:101:12:101:17 | unsafe | Cross-site scripting vulnerability due to a $@. | tst2.js:93:9:93:9 | p | user-provided value |
|
|
| tst2.js:113:12:113:17 | unsafe | tst2.js:105:9:105:9 | p | tst2.js:113:12:113:17 | unsafe | Cross-site scripting vulnerability due to a $@. | tst2.js:105:9:105:9 | p | user-provided value |
|
|
| tst3.js:6:12:6:12 | p | tst3.js:5:9:5:9 | p | tst3.js:6:12:6:12 | p | Cross-site scripting vulnerability due to a $@. | tst3.js:5:9:5:9 | p | user-provided value |
|
|
| tst3.js:12:12:12:15 | code | tst3.js:11:32:11:39 | reg.body | tst3.js:12:12:12:15 | code | Cross-site scripting vulnerability due to a $@. | tst3.js:11:32:11:39 | reg.body | user-provided value |
|
|
edges
|
|
| ReflectedXss.js:7:33:7:45 | req.params.id | ReflectedXss.js:7:14:7:45 | "Unknow ... rams.id | provenance | |
|
|
| ReflectedXss.js:16:31:16:39 | params.id | ReflectedXss.js:16:12:16:39 | "Unknow ... rams.id | provenance | |
|
|
| ReflectedXss.js:22:19:22:26 | req.body | ReflectedXss.js:22:12:22:27 | marked(req.body) | provenance | |
|
|
| ReflectedXss.js:29:7:29:13 | mytable | ReflectedXss.js:33:12:33:18 | mytable | provenance | |
|
|
| ReflectedXss.js:29:17:32:4 | table([ ... ce\\n ]) | ReflectedXss.js:29:7:29:13 | mytable | provenance | |
|
|
| ReflectedXss.js:29:23:32:3 | [\\n [ ... rce\\n ] [1, 1] | ReflectedXss.js:29:17:32:4 | table([ ... ce\\n ]) | provenance | |
|
|
| ReflectedXss.js:31:5:31:22 | ['body', req.body] [1] | ReflectedXss.js:29:23:32:3 | [\\n [ ... rce\\n ] [1, 1] | provenance | |
|
|
| ReflectedXss.js:31:14:31:21 | req.body | ReflectedXss.js:31:5:31:22 | ['body', req.body] [1] | provenance | |
|
|
| ReflectedXss.js:41:31:41:38 | req.body | ReflectedXss.js:41:12:41:39 | convert ... q.body) | provenance | |
|
|
| ReflectedXss.js:63:14:63:21 | req.body | ReflectedXss.js:63:39:63:42 | file | provenance | |
|
|
| ReflectedXss.js:63:39:63:42 | file | ReflectedXss.js:64:16:64:19 | file | provenance | |
|
|
| ReflectedXss.js:67:12:67:41 | remark( ... q.body) | ReflectedXss.js:67:12:67:52 | remark( ... tring() | provenance | |
|
|
| ReflectedXss.js:67:33:67:40 | req.body | ReflectedXss.js:67:12:67:41 | remark( ... q.body) | provenance | |
|
|
| ReflectedXss.js:71:12:71:56 | unified ... q.body) | ReflectedXss.js:71:12:71:65 | unified ... oString | provenance | |
|
|
| ReflectedXss.js:71:48:71:55 | req.body | ReflectedXss.js:71:12:71:56 | unified ... q.body) | provenance | |
|
|
| ReflectedXss.js:73:20:73:27 | req.body | ReflectedXss.js:73:34:73:34 | f | provenance | |
|
|
| ReflectedXss.js:73:34:73:34 | f | ReflectedXss.js:74:14:74:14 | f | provenance | |
|
|
| ReflectedXss.js:83:22:83:29 | req.body | ReflectedXss.js:83:12:83:30 | snarkdown(req.body) | provenance | |
|
|
| ReflectedXss.js:84:23:84:30 | req.body | ReflectedXss.js:84:12:84:31 | snarkdown2(req.body) | provenance | |
|
|
| ReflectedXss.js:97:30:97:37 | req.body | ReflectedXss.js:97:12:97:38 | markdow ... q.body) | provenance | |
|
|
| ReflectedXss.js:99:31:99:38 | req.body | ReflectedXss.js:99:12:99:39 | markdow ... q.body) | provenance | |
|
|
| ReflectedXss.js:102:76:102:83 | req.body | ReflectedXss.js:102:12:102:84 | markdow ... q.body) | provenance | |
|
|
| ReflectedXss.js:113:13:113:27 | keys: queryKeys | ReflectedXss.js:113:19:113:27 | queryKeys | provenance | |
|
|
| ReflectedXss.js:113:19:113:27 | queryKeys | ReflectedXss.js:115:18:115:26 | queryKeys | provenance | |
|
|
| ReflectedXss.js:115:11:115:14 | keys | ReflectedXss.js:117:50:117:53 | keys | provenance | |
|
|
| ReflectedXss.js:115:11:115:14 | keys | ReflectedXss.js:117:58:117:61 | keys | provenance | |
|
|
| ReflectedXss.js:115:18:115:26 | queryKeys | ReflectedXss.js:115:11:115:14 | keys | provenance | |
|
|
| ReflectedXss.js:115:31:115:45 | paramKeys?.keys | ReflectedXss.js:115:11:115:14 | keys | provenance | |
|
|
| ReflectedXss.js:117:11:117:18 | keyArray | ReflectedXss.js:118:25:118:32 | keyArray | provenance | |
|
|
| ReflectedXss.js:117:11:117:18 | keyArray [0] | ReflectedXss.js:118:25:118:32 | keyArray [0] | provenance | |
|
|
| ReflectedXss.js:117:49:117:54 | [keys] [0] | ReflectedXss.js:117:11:117:18 | keyArray [0] | provenance | |
|
|
| ReflectedXss.js:117:50:117:53 | keys | ReflectedXss.js:117:49:117:54 | [keys] [0] | provenance | |
|
|
| ReflectedXss.js:117:58:117:61 | keys | ReflectedXss.js:117:11:117:18 | keyArray | provenance | |
|
|
| ReflectedXss.js:118:11:118:21 | invalidKeys | ReflectedXss.js:121:33:121:43 | invalidKeys | provenance | |
|
|
| ReflectedXss.js:118:11:118:21 | invalidKeys [0] | ReflectedXss.js:121:33:121:43 | invalidKeys [0] | provenance | |
|
|
| ReflectedXss.js:118:25:118:32 | keyArray | ReflectedXss.js:118:25:118:72 | keyArra ... s(key)) | provenance | |
|
|
| ReflectedXss.js:118:25:118:32 | keyArray [0] | ReflectedXss.js:118:25:118:72 | keyArra ... s(key)) [0] | provenance | |
|
|
| ReflectedXss.js:118:25:118:72 | keyArra ... s(key)) | ReflectedXss.js:118:11:118:21 | invalidKeys | provenance | |
|
|
| ReflectedXss.js:118:25:118:72 | keyArra ... s(key)) [0] | ReflectedXss.js:118:11:118:21 | invalidKeys [0] | provenance | |
|
|
| ReflectedXss.js:121:33:121:43 | invalidKeys | ReflectedXss.js:121:33:121:54 | invalid ... n(', ') | provenance | |
|
|
| ReflectedXss.js:121:33:121:43 | invalidKeys [0] | ReflectedXss.js:121:33:121:54 | invalid ... n(', ') | provenance | |
|
|
| ReflectedXss.js:121:33:121:54 | invalid ... n(', ') | ReflectedXss.js:121:30:121:73 | `${inva ... telist` | provenance | |
|
|
| ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | provenance | |
|
|
| ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | provenance | |
|
|
| ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | provenance | |
|
|
| ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | provenance | |
|
|
| ReflectedXssGood3.js:68:22:68:26 | value | ReflectedXssGood3.js:77:16:77:20 | value | provenance | |
|
|
| ReflectedXssGood3.js:68:22:68:26 | value | ReflectedXssGood3.js:105:18:105:22 | value | provenance | |
|
|
| ReflectedXssGood3.js:77:7:77:11 | parts | ReflectedXssGood3.js:108:10:108:14 | parts | provenance | |
|
|
| ReflectedXssGood3.js:77:7:77:11 | parts [0] | ReflectedXssGood3.js:108:10:108:14 | parts [0] | provenance | |
|
|
| ReflectedXssGood3.js:77:15:77:37 | [value. ... (0, i)] [0] | ReflectedXssGood3.js:77:7:77:11 | parts [0] | provenance | |
|
|
| ReflectedXssGood3.js:77:16:77:20 | value | ReflectedXssGood3.js:77:16:77:36 | value.s ... g(0, i) | provenance | |
|
|
| ReflectedXssGood3.js:77:16:77:36 | value.s ... g(0, i) | ReflectedXssGood3.js:77:7:77:11 | parts | provenance | |
|
|
| ReflectedXssGood3.js:77:16:77:36 | value.s ... g(0, i) | ReflectedXssGood3.js:77:15:77:37 | [value. ... (0, i)] [0] | provenance | |
|
|
| ReflectedXssGood3.js:77:16:77:36 | value.s ... g(0, i) | ReflectedXssGood3.js:108:10:108:23 | parts.join('') | provenance | |
|
|
| ReflectedXssGood3.js:105:7:105:11 | [post update] parts [ArrayElement] | ReflectedXssGood3.js:108:10:108:14 | parts [ArrayElement] | provenance | |
|
|
| ReflectedXssGood3.js:105:18:105:22 | value | ReflectedXssGood3.js:105:18:105:38 | value.s ... g(j, i) | provenance | |
|
|
| ReflectedXssGood3.js:105:18:105:38 | value.s ... g(j, i) | ReflectedXssGood3.js:105:7:105:11 | [post update] parts [ArrayElement] | provenance | |
|
|
| ReflectedXssGood3.js:108:10:108:14 | parts | ReflectedXssGood3.js:108:10:108:23 | parts.join('') | provenance | |
|
|
| ReflectedXssGood3.js:108:10:108:14 | parts [0] | ReflectedXssGood3.js:108:10:108:23 | parts.join('') | provenance | |
|
|
| ReflectedXssGood3.js:108:10:108:14 | parts [ArrayElement] | ReflectedXssGood3.js:108:10:108:23 | parts.join('') | provenance | |
|
|
| ReflectedXssGood3.js:135:9:135:11 | url | ReflectedXssGood3.js:139:24:139:26 | url | provenance | |
|
|
| ReflectedXssGood3.js:135:15:135:27 | req.params.id | ReflectedXssGood3.js:135:9:135:11 | url | provenance | |
|
|
| ReflectedXssGood3.js:139:24:139:26 | url | ReflectedXssGood3.js:68:22:68:26 | value | provenance | |
|
|
| ReflectedXssGood3.js:139:24:139:26 | url | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | provenance | |
|
|
| app/api/route.ts:2:11:2:14 | body | app/api/route.ts:5:18:5:21 | body | provenance | |
|
|
| app/api/route.ts:2:11:2:14 | body | app/api/route.ts:13:18:13:21 | body | provenance | |
|
|
| app/api/route.ts:2:11:2:14 | body | app/api/route.ts:25:18:25:21 | body | provenance | |
|
|
| app/api/route.ts:2:11:2:14 | body | app/api/route.ts:29:25:29:28 | body | provenance | |
|
|
| app/api/route.ts:2:18:2:33 | await req.json() | app/api/route.ts:2:11:2:14 | body | provenance | |
|
|
| app/api/route.ts:2:24:2:33 | req.json() | app/api/route.ts:2:18:2:33 | await req.json() | provenance | |
|
|
| app/api/routeNextRequest.ts:4:9:4:12 | body | app/api/routeNextRequest.ts:7:20:7:23 | body | provenance | |
|
|
| app/api/routeNextRequest.ts:4:9:4:12 | body | app/api/routeNextRequest.ts:15:20:15:23 | body | provenance | |
|
|
| app/api/routeNextRequest.ts:4:9:4:12 | body | app/api/routeNextRequest.ts:27:20:27:23 | body | provenance | |
|
|
| app/api/routeNextRequest.ts:4:9:4:12 | body | app/api/routeNextRequest.ts:31:27:31:30 | body | provenance | |
|
|
| app/api/routeNextRequest.ts:4:16:4:31 | await req.json() | app/api/routeNextRequest.ts:4:9:4:12 | body | provenance | |
|
|
| app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:4:16:4:31 | await req.json() | provenance | |
|
|
| etherpad.js:9:5:9:12 | response | etherpad.js:11:12:11:19 | response | provenance | |
|
|
| etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:5:9:12 | response | provenance | |
|
|
| formatting.js:4:9:4:12 | evil | formatting.js:6:43:6:46 | evil | provenance | |
|
|
| formatting.js:4:9:4:12 | evil | formatting.js:7:49:7:52 | evil | provenance | |
|
|
| formatting.js:4:16:4:29 | req.query.evil | formatting.js:4:9:4:12 | evil | provenance | |
|
|
| formatting.js:6:43:6:46 | evil | formatting.js:6:14:6:47 | util.fo ... , evil) | provenance | |
|
|
| formatting.js:7:49:7:52 | evil | formatting.js:7:14:7:53 | require ... , evil) | provenance | |
|
|
| live-server.js:4:11:4:17 | tainted | live-server.js:6:28:6:34 | tainted | provenance | |
|
|
| live-server.js:4:21:4:27 | req.url | live-server.js:4:11:4:17 | tainted | provenance | |
|
|
| live-server.js:6:28:6:34 | tainted | live-server.js:6:13:6:50 | `<html> ... /html>` | provenance | |
|
|
| live-server.js:10:11:10:17 | tainted | live-server.js:12:28:12:34 | tainted | provenance | |
|
|
| live-server.js:10:21:10:27 | req.url | live-server.js:10:11:10:17 | tainted | provenance | |
|
|
| live-server.js:12:28:12:34 | tainted | live-server.js:12:13:12:50 | `<html> ... /html>` | provenance | |
|
|
| partial.js:9:25:9:25 | x | partial.js:10:14:10:14 | x | provenance | |
|
|
| partial.js:10:14:10:14 | x | partial.js:10:14:10:18 | x + y | provenance | |
|
|
| partial.js:13:42:13:48 | req.url | partial.js:9:25:9:25 | x | provenance | |
|
|
| partial.js:18:25:18:25 | x | partial.js:19:14:19:14 | x | provenance | |
|
|
| partial.js:19:14:19:14 | x | partial.js:19:14:19:18 | x + y | provenance | |
|
|
| partial.js:22:51:22:57 | req.url | partial.js:18:25:18:25 | x | provenance | |
|
|
| partial.js:27:25:27:25 | x | partial.js:28:14:28:14 | x | provenance | |
|
|
| partial.js:28:14:28:14 | x | partial.js:28:14:28:18 | x + y | provenance | |
|
|
| partial.js:31:47:31:53 | req.url | partial.js:27:25:27:25 | x | provenance | |
|
|
| partial.js:36:25:36:25 | x | partial.js:37:14:37:14 | x | provenance | |
|
|
| partial.js:37:14:37:14 | x | partial.js:37:14:37:18 | x + y | provenance | |
|
|
| partial.js:40:43:40:49 | req.url | partial.js:36:25:36:25 | x | provenance | |
|
|
| promises.js:5:3:5:59 | new Pro ... .data)) [PromiseValue] | promises.js:6:11:6:11 | x | provenance | |
|
|
| promises.js:5:16:5:22 | resolve [Return] [resolve-value] | promises.js:5:3:5:59 | new Pro ... .data)) [PromiseValue] | provenance | |
|
|
| promises.js:5:36:5:42 | [post update] resolve [resolve-value] | promises.js:5:16:5:22 | resolve [Return] [resolve-value] | provenance | |
|
|
| promises.js:5:44:5:57 | req.query.data | promises.js:5:36:5:42 | [post update] resolve [resolve-value] | provenance | |
|
|
| promises.js:6:11:6:11 | x | promises.js:6:25:6:25 | x | provenance | |
|
|
| response-object.js:7:11:7:14 | data | response-object.js:9:18:9:21 | data | provenance | |
|
|
| response-object.js:7:11:7:14 | data | response-object.js:10:18:10:21 | data | provenance | |
|
|
| response-object.js:7:11:7:14 | data | response-object.js:11:18:11:21 | data | provenance | |
|
|
| response-object.js:7:11:7:14 | data | response-object.js:14:18:14:21 | data | provenance | |
|
|
| response-object.js:7:11:7:14 | data | response-object.js:17:18:17:21 | data | provenance | |
|
|
| response-object.js:7:11:7:14 | data | response-object.js:23:18:23:21 | data | provenance | |
|
|
| response-object.js:7:11:7:14 | data | response-object.js:26:18:26:21 | data | provenance | |
|
|
| response-object.js:7:11:7:14 | data | response-object.js:34:18:34:21 | data | provenance | |
|
|
| response-object.js:7:11:7:14 | data | response-object.js:38:18:38:21 | data | provenance | |
|
|
| response-object.js:7:18:7:25 | req.body | response-object.js:7:11:7:14 | data | provenance | |
|
|
| tst2.js:6:9:6:9 | p | tst2.js:6:9:6:9 | p | provenance | |
|
|
| tst2.js:6:9:6:9 | p | tst2.js:7:12:7:12 | p | provenance | |
|
|
| tst2.js:6:12:6:15 | q: r | tst2.js:6:15:6:15 | r | provenance | |
|
|
| tst2.js:6:15:6:15 | r | tst2.js:8:12:8:12 | r | provenance | |
|
|
| tst2.js:14:9:14:9 | p | tst2.js:14:9:14:9 | p | provenance | |
|
|
| tst2.js:14:9:14:9 | p | tst2.js:18:12:18:12 | p | provenance | |
|
|
| tst2.js:14:9:14:9 | p | tst2.js:21:14:21:14 | p | provenance | |
|
|
| tst2.js:30:9:30:9 | p | tst2.js:30:9:30:9 | p | provenance | |
|
|
| tst2.js:30:9:30:9 | p | tst2.js:33:11:33:11 | p | provenance | |
|
|
| tst2.js:30:9:30:9 | p | tst2.js:36:12:36:12 | p | provenance | |
|
|
| tst2.js:33:3:33:5 | [post update] obj [p] | tst2.js:34:21:34:23 | obj [p] | provenance | |
|
|
| tst2.js:33:11:33:11 | p | tst2.js:33:3:33:5 | [post update] obj [p] | provenance | |
|
|
| tst2.js:34:7:34:11 | other [p] | tst2.js:37:12:37:16 | other [p] | provenance | |
|
|
| tst2.js:34:15:34:24 | clone(obj) [p] | tst2.js:34:7:34:11 | other [p] | provenance | |
|
|
| tst2.js:34:21:34:23 | obj [p] | tst2.js:34:15:34:24 | clone(obj) [p] | provenance | |
|
|
| tst2.js:37:12:37:16 | other [p] | tst2.js:37:12:37:18 | other.p | provenance | |
|
|
| tst2.js:43:9:43:9 | p | tst2.js:43:9:43:9 | p | provenance | |
|
|
| tst2.js:43:9:43:9 | p | tst2.js:49:36:49:36 | p | provenance | |
|
|
| tst2.js:49:7:49:12 | unsafe | tst2.js:51:12:51:17 | unsafe | provenance | |
|
|
| tst2.js:49:16:49:53 | seriali ... true}) | tst2.js:49:7:49:12 | unsafe | provenance | |
|
|
| tst2.js:49:36:49:36 | p | tst2.js:49:16:49:53 | seriali ... true}) | provenance | |
|
|
| tst2.js:57:9:57:9 | p | tst2.js:57:9:57:9 | p | provenance | |
|
|
| tst2.js:57:9:57:9 | p | tst2.js:60:11:60:11 | p | provenance | |
|
|
| tst2.js:57:9:57:9 | p | tst2.js:63:12:63:12 | p | provenance | |
|
|
| tst2.js:60:3:60:5 | [post update] obj [p] | tst2.js:61:22:61:24 | obj [p] | provenance | |
|
|
| tst2.js:60:11:60:11 | p | tst2.js:60:3:60:5 | [post update] obj [p] | provenance | |
|
|
| tst2.js:61:7:61:11 | other [p] | tst2.js:64:12:64:16 | other [p] | provenance | |
|
|
| tst2.js:61:15:61:25 | fclone(obj) [p] | tst2.js:61:7:61:11 | other [p] | provenance | |
|
|
| tst2.js:61:22:61:24 | obj [p] | tst2.js:61:15:61:25 | fclone(obj) [p] | provenance | |
|
|
| tst2.js:64:12:64:16 | other [p] | tst2.js:64:12:64:18 | other.p | provenance | |
|
|
| tst2.js:69:9:69:9 | p | tst2.js:69:9:69:9 | p | provenance | |
|
|
| tst2.js:69:9:69:9 | p | tst2.js:72:11:72:11 | p | provenance | |
|
|
| tst2.js:69:9:69:9 | p | tst2.js:75:12:75:12 | p | provenance | |
|
|
| tst2.js:72:3:72:5 | [post update] obj [p] | tst2.js:73:40:73:42 | obj [p] | provenance | |
|
|
| tst2.js:72:11:72:11 | p | tst2.js:72:3:72:5 | [post update] obj [p] | provenance | |
|
|
| tst2.js:73:7:73:11 | other [p] | tst2.js:76:12:76:16 | other [p] | provenance | |
|
|
| tst2.js:73:15:73:44 | jc.retr ... e(obj)) [p] | tst2.js:73:7:73:11 | other [p] | provenance | |
|
|
| tst2.js:73:29:73:43 | jc.decycle(obj) [p] | tst2.js:73:15:73:44 | jc.retr ... e(obj)) [p] | provenance | |
|
|
| tst2.js:73:40:73:42 | obj [p] | tst2.js:73:29:73:43 | jc.decycle(obj) [p] | provenance | |
|
|
| tst2.js:76:12:76:16 | other [p] | tst2.js:76:12:76:18 | other.p | provenance | |
|
|
| tst2.js:82:9:82:9 | p | tst2.js:82:9:82:9 | p | provenance | |
|
|
| tst2.js:82:9:82:9 | p | tst2.js:85:11:85:11 | p | provenance | |
|
|
| tst2.js:82:9:82:9 | p | tst2.js:88:12:88:12 | p | provenance | |
|
|
| tst2.js:85:3:85:5 | [post update] obj [p] | tst2.js:86:24:86:26 | obj [p] | provenance | |
|
|
| tst2.js:85:11:85:11 | p | tst2.js:85:3:85:5 | [post update] obj [p] | provenance | |
|
|
| tst2.js:86:7:86:11 | other [p] | tst2.js:89:12:89:16 | other [p] | provenance | |
|
|
| tst2.js:86:15:86:27 | sortKeys(obj) [p] | tst2.js:86:7:86:11 | other [p] | provenance | |
|
|
| tst2.js:86:24:86:26 | obj [p] | tst2.js:86:15:86:27 | sortKeys(obj) [p] | provenance | |
|
|
| tst2.js:89:12:89:16 | other [p] | tst2.js:89:12:89:18 | other.p | provenance | |
|
|
| tst2.js:93:9:93:9 | p | tst2.js:93:9:93:9 | p | provenance | |
|
|
| tst2.js:93:9:93:9 | p | tst2.js:99:51:99:51 | p | provenance | |
|
|
| tst2.js:99:7:99:12 | unsafe | tst2.js:101:12:101:17 | unsafe | provenance | |
|
|
| tst2.js:99:16:99:69 | seriali ... true}) | tst2.js:99:7:99:12 | unsafe | provenance | |
|
|
| tst2.js:99:36:99:52 | {someProperty: p} [someProperty] | tst2.js:99:16:99:69 | seriali ... true}) | provenance | |
|
|
| tst2.js:99:51:99:51 | p | tst2.js:99:16:99:69 | seriali ... true}) | provenance | |
|
|
| tst2.js:99:51:99:51 | p | tst2.js:99:36:99:52 | {someProperty: p} [someProperty] | provenance | |
|
|
| tst2.js:105:9:105:9 | p | tst2.js:105:9:105:9 | p | provenance | |
|
|
| tst2.js:105:9:105:9 | p | tst2.js:110:28:110:28 | p | provenance | |
|
|
| tst2.js:110:7:110:9 | obj [someProperty] | tst2.js:111:36:111:38 | obj [someProperty] | provenance | |
|
|
| tst2.js:110:13:110:29 | {someProperty: p} [someProperty] | tst2.js:110:7:110:9 | obj [someProperty] | provenance | |
|
|
| tst2.js:110:28:110:28 | p | tst2.js:110:13:110:29 | {someProperty: p} [someProperty] | provenance | |
|
|
| tst2.js:110:28:110:28 | p | tst2.js:111:16:111:55 | seriali ... true}) | provenance | |
|
|
| tst2.js:111:7:111:12 | unsafe | tst2.js:113:12:113:17 | unsafe | provenance | |
|
|
| tst2.js:111:16:111:55 | seriali ... true}) | tst2.js:111:7:111:12 | unsafe | provenance | |
|
|
| tst2.js:111:36:111:38 | obj [someProperty] | tst2.js:111:16:111:55 | seriali ... true}) | provenance | |
|
|
| tst3.js:5:9:5:9 | p | tst3.js:5:9:5:9 | p | provenance | |
|
|
| tst3.js:5:9:5:9 | p | tst3.js:6:12:6:12 | p | provenance | |
|
|
| tst3.js:11:9:11:12 | code | tst3.js:12:12:12:15 | code | provenance | |
|
|
| tst3.js:11:16:11:74 | prettie ... bel" }) | tst3.js:11:9:11:12 | code | provenance | |
|
|
| tst3.js:11:32:11:39 | reg.body | tst3.js:11:16:11:74 | prettie ... bel" }) | provenance | |
|
|
nodes
|
|
| ReflectedXss.js:7:14:7:45 | "Unknow ... rams.id | semmle.label | "Unknow ... rams.id |
|
|
| ReflectedXss.js:7:33:7:45 | req.params.id | semmle.label | req.params.id |
|
|
| ReflectedXss.js:16:12:16:39 | "Unknow ... rams.id | semmle.label | "Unknow ... rams.id |
|
|
| ReflectedXss.js:16:31:16:39 | params.id | semmle.label | params.id |
|
|
| ReflectedXss.js:21:12:21:19 | req.body | semmle.label | req.body |
|
|
| ReflectedXss.js:22:12:22:27 | marked(req.body) | semmle.label | marked(req.body) |
|
|
| ReflectedXss.js:22:19:22:26 | req.body | semmle.label | req.body |
|
|
| ReflectedXss.js:28:12:28:19 | req.body | semmle.label | req.body |
|
|
| ReflectedXss.js:29:7:29:13 | mytable | semmle.label | mytable |
|
|
| ReflectedXss.js:29:17:32:4 | table([ ... ce\\n ]) | semmle.label | table([ ... ce\\n ]) |
|
|
| ReflectedXss.js:29:23:32:3 | [\\n [ ... rce\\n ] [1, 1] | semmle.label | [\\n [ ... rce\\n ] [1, 1] |
|
|
| ReflectedXss.js:31:5:31:22 | ['body', req.body] [1] | semmle.label | ['body', req.body] [1] |
|
|
| ReflectedXss.js:31:14:31:21 | req.body | semmle.label | req.body |
|
|
| ReflectedXss.js:33:12:33:18 | mytable | semmle.label | mytable |
|
|
| ReflectedXss.js:40:12:40:19 | req.body | semmle.label | req.body |
|
|
| ReflectedXss.js:41:12:41:39 | convert ... q.body) | semmle.label | convert ... q.body) |
|
|
| ReflectedXss.js:41:31:41:38 | req.body | semmle.label | req.body |
|
|
| ReflectedXss.js:55:12:55:19 | req.body | semmle.label | req.body |
|
|
| ReflectedXss.js:63:14:63:21 | req.body | semmle.label | req.body |
|
|
| ReflectedXss.js:63:39:63:42 | file | semmle.label | file |
|
|
| ReflectedXss.js:64:16:64:19 | file | semmle.label | file |
|
|
| ReflectedXss.js:67:12:67:41 | remark( ... q.body) | semmle.label | remark( ... q.body) |
|
|
| ReflectedXss.js:67:12:67:52 | remark( ... tring() | semmle.label | remark( ... tring() |
|
|
| ReflectedXss.js:67:33:67:40 | req.body | semmle.label | req.body |
|
|
| ReflectedXss.js:71:12:71:56 | unified ... q.body) | semmle.label | unified ... q.body) |
|
|
| ReflectedXss.js:71:12:71:65 | unified ... oString | semmle.label | unified ... oString |
|
|
| ReflectedXss.js:71:48:71:55 | req.body | semmle.label | req.body |
|
|
| ReflectedXss.js:73:20:73:27 | req.body | semmle.label | req.body |
|
|
| ReflectedXss.js:73:34:73:34 | f | semmle.label | f |
|
|
| ReflectedXss.js:74:14:74:14 | f | semmle.label | f |
|
|
| ReflectedXss.js:82:12:82:19 | req.body | semmle.label | req.body |
|
|
| ReflectedXss.js:83:12:83:30 | snarkdown(req.body) | semmle.label | snarkdown(req.body) |
|
|
| ReflectedXss.js:83:22:83:29 | req.body | semmle.label | req.body |
|
|
| ReflectedXss.js:84:12:84:31 | snarkdown2(req.body) | semmle.label | snarkdown2(req.body) |
|
|
| ReflectedXss.js:84:23:84:30 | req.body | semmle.label | req.body |
|
|
| ReflectedXss.js:96:12:96:19 | req.body | semmle.label | req.body |
|
|
| ReflectedXss.js:97:12:97:38 | markdow ... q.body) | semmle.label | markdow ... q.body) |
|
|
| ReflectedXss.js:97:30:97:37 | req.body | semmle.label | req.body |
|
|
| ReflectedXss.js:99:12:99:39 | markdow ... q.body) | semmle.label | markdow ... q.body) |
|
|
| ReflectedXss.js:99:31:99:38 | req.body | semmle.label | req.body |
|
|
| ReflectedXss.js:102:12:102:84 | markdow ... q.body) | semmle.label | markdow ... q.body) |
|
|
| ReflectedXss.js:102:76:102:83 | req.body | semmle.label | req.body |
|
|
| ReflectedXss.js:109:16:109:30 | request.query.p | semmle.label | request.query.p |
|
|
| ReflectedXss.js:113:13:113:27 | keys: queryKeys | semmle.label | keys: queryKeys |
|
|
| ReflectedXss.js:113:19:113:27 | queryKeys | semmle.label | queryKeys |
|
|
| ReflectedXss.js:115:11:115:14 | keys | semmle.label | keys |
|
|
| ReflectedXss.js:115:18:115:26 | queryKeys | semmle.label | queryKeys |
|
|
| ReflectedXss.js:115:31:115:45 | paramKeys?.keys | semmle.label | paramKeys?.keys |
|
|
| ReflectedXss.js:117:11:117:18 | keyArray | semmle.label | keyArray |
|
|
| ReflectedXss.js:117:11:117:18 | keyArray [0] | semmle.label | keyArray [0] |
|
|
| ReflectedXss.js:117:49:117:54 | [keys] [0] | semmle.label | [keys] [0] |
|
|
| ReflectedXss.js:117:50:117:53 | keys | semmle.label | keys |
|
|
| ReflectedXss.js:117:58:117:61 | keys | semmle.label | keys |
|
|
| ReflectedXss.js:118:11:118:21 | invalidKeys | semmle.label | invalidKeys |
|
|
| ReflectedXss.js:118:11:118:21 | invalidKeys [0] | semmle.label | invalidKeys [0] |
|
|
| ReflectedXss.js:118:25:118:32 | keyArray | semmle.label | keyArray |
|
|
| ReflectedXss.js:118:25:118:32 | keyArray [0] | semmle.label | keyArray [0] |
|
|
| ReflectedXss.js:118:25:118:72 | keyArra ... s(key)) | semmle.label | keyArra ... s(key)) |
|
|
| ReflectedXss.js:118:25:118:72 | keyArra ... s(key)) [0] | semmle.label | keyArra ... s(key)) [0] |
|
|
| ReflectedXss.js:121:30:121:73 | `${inva ... telist` | semmle.label | `${inva ... telist` |
|
|
| ReflectedXss.js:121:33:121:43 | invalidKeys | semmle.label | invalidKeys |
|
|
| ReflectedXss.js:121:33:121:43 | invalidKeys [0] | semmle.label | invalidKeys [0] |
|
|
| ReflectedXss.js:121:33:121:54 | invalid ... n(', ') | semmle.label | invalid ... n(', ') |
|
|
| ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | semmle.label | "FOO: " ... rams.id |
|
|
| ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | semmle.label | req.params.id |
|
|
| ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | semmle.label | "FOO: " ... rams.id |
|
|
| ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | semmle.label | req.params.id |
|
|
| ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | semmle.label | "FOO: " ... rams.id |
|
|
| ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | semmle.label | req.params.id |
|
|
| ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | semmle.label | "FOO: " ... rams.id |
|
|
| ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | semmle.label | req.params.id |
|
|
| ReflectedXssGood3.js:68:22:68:26 | value | semmle.label | value |
|
|
| ReflectedXssGood3.js:77:7:77:11 | parts | semmle.label | parts |
|
|
| ReflectedXssGood3.js:77:7:77:11 | parts [0] | semmle.label | parts [0] |
|
|
| ReflectedXssGood3.js:77:15:77:37 | [value. ... (0, i)] [0] | semmle.label | [value. ... (0, i)] [0] |
|
|
| ReflectedXssGood3.js:77:16:77:20 | value | semmle.label | value |
|
|
| ReflectedXssGood3.js:77:16:77:36 | value.s ... g(0, i) | semmle.label | value.s ... g(0, i) |
|
|
| ReflectedXssGood3.js:105:7:105:11 | [post update] parts [ArrayElement] | semmle.label | [post update] parts [ArrayElement] |
|
|
| ReflectedXssGood3.js:105:18:105:22 | value | semmle.label | value |
|
|
| ReflectedXssGood3.js:105:18:105:38 | value.s ... g(j, i) | semmle.label | value.s ... g(j, i) |
|
|
| ReflectedXssGood3.js:108:10:108:14 | parts | semmle.label | parts |
|
|
| ReflectedXssGood3.js:108:10:108:14 | parts [0] | semmle.label | parts [0] |
|
|
| ReflectedXssGood3.js:108:10:108:14 | parts [ArrayElement] | semmle.label | parts [ArrayElement] |
|
|
| ReflectedXssGood3.js:108:10:108:23 | parts.join('') | semmle.label | parts.join('') |
|
|
| ReflectedXssGood3.js:135:9:135:11 | url | semmle.label | url |
|
|
| ReflectedXssGood3.js:135:15:135:27 | req.params.id | semmle.label | req.params.id |
|
|
| ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | semmle.label | escapeHtml3(url) |
|
|
| ReflectedXssGood3.js:139:24:139:26 | url | semmle.label | url |
|
|
| app/api/route.ts:2:11:2:14 | body | semmle.label | body |
|
|
| app/api/route.ts:2:18:2:33 | await req.json() | semmle.label | await req.json() |
|
|
| app/api/route.ts:2:24:2:33 | req.json() | semmle.label | req.json() |
|
|
| app/api/route.ts:5:18:5:21 | body | semmle.label | body |
|
|
| app/api/route.ts:13:18:13:21 | body | semmle.label | body |
|
|
| app/api/route.ts:25:18:25:21 | body | semmle.label | body |
|
|
| app/api/route.ts:29:25:29:28 | body | semmle.label | body |
|
|
| app/api/routeNextRequest.ts:4:9:4:12 | body | semmle.label | body |
|
|
| app/api/routeNextRequest.ts:4:16:4:31 | await req.json() | semmle.label | await req.json() |
|
|
| app/api/routeNextRequest.ts:4:22:4:31 | req.json() | semmle.label | req.json() |
|
|
| app/api/routeNextRequest.ts:7:20:7:23 | body | semmle.label | body |
|
|
| app/api/routeNextRequest.ts:15:20:15:23 | body | semmle.label | body |
|
|
| app/api/routeNextRequest.ts:27:20:27:23 | body | semmle.label | body |
|
|
| app/api/routeNextRequest.ts:31:27:31:30 | body | semmle.label | body |
|
|
| app/pages/Next2.jsx:8:13:8:19 | req.url | semmle.label | req.url |
|
|
| app/pages/Next2.jsx:15:13:15:19 | req.url | semmle.label | req.url |
|
|
| etherpad.js:9:5:9:12 | response | semmle.label | response |
|
|
| etherpad.js:9:16:9:30 | req.query.jsonp | semmle.label | req.query.jsonp |
|
|
| etherpad.js:11:12:11:19 | response | semmle.label | response |
|
|
| formatting.js:4:9:4:12 | evil | semmle.label | evil |
|
|
| formatting.js:4:16:4:29 | req.query.evil | semmle.label | req.query.evil |
|
|
| formatting.js:6:14:6:47 | util.fo ... , evil) | semmle.label | util.fo ... , evil) |
|
|
| formatting.js:6:43:6:46 | evil | semmle.label | evil |
|
|
| formatting.js:7:14:7:53 | require ... , evil) | semmle.label | require ... , evil) |
|
|
| formatting.js:7:49:7:52 | evil | semmle.label | evil |
|
|
| live-server.js:4:11:4:17 | tainted | semmle.label | tainted |
|
|
| live-server.js:4:21:4:27 | req.url | semmle.label | req.url |
|
|
| live-server.js:6:13:6:50 | `<html> ... /html>` | semmle.label | `<html> ... /html>` |
|
|
| live-server.js:6:28:6:34 | tainted | semmle.label | tainted |
|
|
| live-server.js:10:11:10:17 | tainted | semmle.label | tainted |
|
|
| live-server.js:10:21:10:27 | req.url | semmle.label | req.url |
|
|
| live-server.js:12:13:12:50 | `<html> ... /html>` | semmle.label | `<html> ... /html>` |
|
|
| live-server.js:12:28:12:34 | tainted | semmle.label | tainted |
|
|
| pages/Next.jsx:8:13:8:19 | req.url | semmle.label | req.url |
|
|
| pages/Next.jsx:15:13:15:19 | req.url | semmle.label | req.url |
|
|
| pages/api/myapi.js:2:14:2:20 | req.url | semmle.label | req.url |
|
|
| partial.js:9:25:9:25 | x | semmle.label | x |
|
|
| partial.js:10:14:10:14 | x | semmle.label | x |
|
|
| partial.js:10:14:10:18 | x + y | semmle.label | x + y |
|
|
| partial.js:13:42:13:48 | req.url | semmle.label | req.url |
|
|
| partial.js:18:25:18:25 | x | semmle.label | x |
|
|
| partial.js:19:14:19:14 | x | semmle.label | x |
|
|
| partial.js:19:14:19:18 | x + y | semmle.label | x + y |
|
|
| partial.js:22:51:22:57 | req.url | semmle.label | req.url |
|
|
| partial.js:27:25:27:25 | x | semmle.label | x |
|
|
| partial.js:28:14:28:14 | x | semmle.label | x |
|
|
| partial.js:28:14:28:18 | x + y | semmle.label | x + y |
|
|
| partial.js:31:47:31:53 | req.url | semmle.label | req.url |
|
|
| partial.js:36:25:36:25 | x | semmle.label | x |
|
|
| partial.js:37:14:37:14 | x | semmle.label | x |
|
|
| partial.js:37:14:37:18 | x + y | semmle.label | x + y |
|
|
| partial.js:40:43:40:49 | req.url | semmle.label | req.url |
|
|
| promises.js:5:3:5:59 | new Pro ... .data)) [PromiseValue] | semmle.label | new Pro ... .data)) [PromiseValue] |
|
|
| promises.js:5:16:5:22 | resolve [Return] [resolve-value] | semmle.label | resolve [Return] [resolve-value] |
|
|
| promises.js:5:36:5:42 | [post update] resolve [resolve-value] | semmle.label | [post update] resolve [resolve-value] |
|
|
| promises.js:5:44:5:57 | req.query.data | semmle.label | req.query.data |
|
|
| promises.js:6:11:6:11 | x | semmle.label | x |
|
|
| promises.js:6:25:6:25 | x | semmle.label | x |
|
|
| response-object.js:7:11:7:14 | data | semmle.label | data |
|
|
| response-object.js:7:18:7:25 | req.body | semmle.label | req.body |
|
|
| response-object.js:9:18:9:21 | data | semmle.label | data |
|
|
| response-object.js:10:18:10:21 | data | semmle.label | data |
|
|
| response-object.js:11:18:11:21 | data | semmle.label | data |
|
|
| response-object.js:14:18:14:21 | data | semmle.label | data |
|
|
| response-object.js:17:18:17:21 | data | semmle.label | data |
|
|
| response-object.js:23:18:23:21 | data | semmle.label | data |
|
|
| response-object.js:26:18:26:21 | data | semmle.label | data |
|
|
| response-object.js:34:18:34:21 | data | semmle.label | data |
|
|
| response-object.js:38:18:38:21 | data | semmle.label | data |
|
|
| tst2.js:6:9:6:9 | p | semmle.label | p |
|
|
| tst2.js:6:9:6:9 | p | semmle.label | p |
|
|
| tst2.js:6:12:6:15 | q: r | semmle.label | q: r |
|
|
| tst2.js:6:15:6:15 | r | semmle.label | r |
|
|
| tst2.js:7:12:7:12 | p | semmle.label | p |
|
|
| tst2.js:8:12:8:12 | r | semmle.label | r |
|
|
| tst2.js:14:9:14:9 | p | semmle.label | p |
|
|
| tst2.js:14:9:14:9 | p | semmle.label | p |
|
|
| tst2.js:18:12:18:12 | p | semmle.label | p |
|
|
| tst2.js:21:14:21:14 | p | semmle.label | p |
|
|
| tst2.js:30:9:30:9 | p | semmle.label | p |
|
|
| tst2.js:30:9:30:9 | p | semmle.label | p |
|
|
| tst2.js:33:3:33:5 | [post update] obj [p] | semmle.label | [post update] obj [p] |
|
|
| tst2.js:33:11:33:11 | p | semmle.label | p |
|
|
| tst2.js:34:7:34:11 | other [p] | semmle.label | other [p] |
|
|
| tst2.js:34:15:34:24 | clone(obj) [p] | semmle.label | clone(obj) [p] |
|
|
| tst2.js:34:21:34:23 | obj [p] | semmle.label | obj [p] |
|
|
| tst2.js:36:12:36:12 | p | semmle.label | p |
|
|
| tst2.js:37:12:37:16 | other [p] | semmle.label | other [p] |
|
|
| tst2.js:37:12:37:18 | other.p | semmle.label | other.p |
|
|
| tst2.js:43:9:43:9 | p | semmle.label | p |
|
|
| tst2.js:43:9:43:9 | p | semmle.label | p |
|
|
| tst2.js:49:7:49:12 | unsafe | semmle.label | unsafe |
|
|
| tst2.js:49:16:49:53 | seriali ... true}) | semmle.label | seriali ... true}) |
|
|
| tst2.js:49:36:49:36 | p | semmle.label | p |
|
|
| tst2.js:51:12:51:17 | unsafe | semmle.label | unsafe |
|
|
| tst2.js:57:9:57:9 | p | semmle.label | p |
|
|
| tst2.js:57:9:57:9 | p | semmle.label | p |
|
|
| tst2.js:60:3:60:5 | [post update] obj [p] | semmle.label | [post update] obj [p] |
|
|
| tst2.js:60:11:60:11 | p | semmle.label | p |
|
|
| tst2.js:61:7:61:11 | other [p] | semmle.label | other [p] |
|
|
| tst2.js:61:15:61:25 | fclone(obj) [p] | semmle.label | fclone(obj) [p] |
|
|
| tst2.js:61:22:61:24 | obj [p] | semmle.label | obj [p] |
|
|
| tst2.js:63:12:63:12 | p | semmle.label | p |
|
|
| tst2.js:64:12:64:16 | other [p] | semmle.label | other [p] |
|
|
| tst2.js:64:12:64:18 | other.p | semmle.label | other.p |
|
|
| tst2.js:69:9:69:9 | p | semmle.label | p |
|
|
| tst2.js:69:9:69:9 | p | semmle.label | p |
|
|
| tst2.js:72:3:72:5 | [post update] obj [p] | semmle.label | [post update] obj [p] |
|
|
| tst2.js:72:11:72:11 | p | semmle.label | p |
|
|
| tst2.js:73:7:73:11 | other [p] | semmle.label | other [p] |
|
|
| tst2.js:73:15:73:44 | jc.retr ... e(obj)) [p] | semmle.label | jc.retr ... e(obj)) [p] |
|
|
| tst2.js:73:29:73:43 | jc.decycle(obj) [p] | semmle.label | jc.decycle(obj) [p] |
|
|
| tst2.js:73:40:73:42 | obj [p] | semmle.label | obj [p] |
|
|
| tst2.js:75:12:75:12 | p | semmle.label | p |
|
|
| tst2.js:76:12:76:16 | other [p] | semmle.label | other [p] |
|
|
| tst2.js:76:12:76:18 | other.p | semmle.label | other.p |
|
|
| tst2.js:82:9:82:9 | p | semmle.label | p |
|
|
| tst2.js:82:9:82:9 | p | semmle.label | p |
|
|
| tst2.js:85:3:85:5 | [post update] obj [p] | semmle.label | [post update] obj [p] |
|
|
| tst2.js:85:11:85:11 | p | semmle.label | p |
|
|
| tst2.js:86:7:86:11 | other [p] | semmle.label | other [p] |
|
|
| tst2.js:86:15:86:27 | sortKeys(obj) [p] | semmle.label | sortKeys(obj) [p] |
|
|
| tst2.js:86:24:86:26 | obj [p] | semmle.label | obj [p] |
|
|
| tst2.js:88:12:88:12 | p | semmle.label | p |
|
|
| tst2.js:89:12:89:16 | other [p] | semmle.label | other [p] |
|
|
| tst2.js:89:12:89:18 | other.p | semmle.label | other.p |
|
|
| tst2.js:93:9:93:9 | p | semmle.label | p |
|
|
| tst2.js:93:9:93:9 | p | semmle.label | p |
|
|
| tst2.js:99:7:99:12 | unsafe | semmle.label | unsafe |
|
|
| tst2.js:99:16:99:69 | seriali ... true}) | semmle.label | seriali ... true}) |
|
|
| tst2.js:99:36:99:52 | {someProperty: p} [someProperty] | semmle.label | {someProperty: p} [someProperty] |
|
|
| tst2.js:99:51:99:51 | p | semmle.label | p |
|
|
| tst2.js:101:12:101:17 | unsafe | semmle.label | unsafe |
|
|
| tst2.js:105:9:105:9 | p | semmle.label | p |
|
|
| tst2.js:105:9:105:9 | p | semmle.label | p |
|
|
| tst2.js:110:7:110:9 | obj [someProperty] | semmle.label | obj [someProperty] |
|
|
| tst2.js:110:13:110:29 | {someProperty: p} [someProperty] | semmle.label | {someProperty: p} [someProperty] |
|
|
| tst2.js:110:28:110:28 | p | semmle.label | p |
|
|
| tst2.js:111:7:111:12 | unsafe | semmle.label | unsafe |
|
|
| tst2.js:111:16:111:55 | seriali ... true}) | semmle.label | seriali ... true}) |
|
|
| tst2.js:111:36:111:38 | obj [someProperty] | semmle.label | obj [someProperty] |
|
|
| tst2.js:113:12:113:17 | unsafe | semmle.label | unsafe |
|
|
| tst3.js:5:9:5:9 | p | semmle.label | p |
|
|
| tst3.js:5:9:5:9 | p | semmle.label | p |
|
|
| tst3.js:6:12:6:12 | p | semmle.label | p |
|
|
| tst3.js:11:9:11:12 | code | semmle.label | code |
|
|
| tst3.js:11:16:11:74 | prettie ... bel" }) | semmle.label | prettie ... bel" }) |
|
|
| tst3.js:11:32:11:39 | reg.body | semmle.label | reg.body |
|
|
| tst3.js:12:12:12:15 | code | semmle.label | code |
|
|
subpaths
|
|
| ReflectedXssGood3.js:139:24:139:26 | url | ReflectedXssGood3.js:68:22:68:26 | value | ReflectedXssGood3.js:108:10:108:23 | parts.join('') | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) |
|