hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
a9665f53b83bf0ae67c2529b4a4fe1472b16f7b1
codeql/change-notes/1.23/analysis-javascript.md
Esben Sparre Andreasen a9665f53b8 JS: whitelist quote stripping for js/incomplete-sanitization
2019-09-05 09:47:49 +01:00

1.8 KiB
Raw Blame History

Improvements to JavaScript analysis

General improvements

  • Support for the following frameworks and libraries has been improved:

  • The call graph has been improved to resolve method calls in more cases. This may produce more security alerts.

New queries

Query Tags Purpose

Changes to existing queries

Query Expected impact Change
Incomplete string escaping or encoding (js/incomplete-sanitization) Fewer false-positive results This rule now recognizes additional ways delimiters can be stripped away.
Client-side cross-site scripting (js/xss) More results More potential vulnerabilities involving functions that manipulate DOM attributes are now recognized.
Prototype pollution (js/prototype-pollution) Same results The results are now shown on LGTM by default.

Changes to QL libraries

  • Expr.getDocumentation() now handles chain assignments.