Skip to content

Commit 6aac353

Browse files
asgerfasgerf
committed
JS: Update test output
1 parent 50a015c commit 6aac353

File tree

2 files changed

+109
-31
lines changed

2 files changed

+109
-31
lines changed

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected

Lines changed: 39 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -60,11 +60,12 @@ nodes
6060
| angular2-client.ts:41:44:41:76 | routeSn ... ('foo') |
6161
| angular2-client.ts:41:44:41:76 | routeSn ... ('foo') |
6262
| jquery.js:2:7:2:40 | tainted |
63+
| jquery.js:2:7:2:40 | tainted |
6364
| jquery.js:2:17:2:33 | document.location |
6465
| jquery.js:2:17:2:33 | document.location |
6566
| jquery.js:2:17:2:40 | documen ... .search |
66-
| jquery.js:4:5:4:11 | tainted |
67-
| jquery.js:4:5:4:11 | tainted |
67+
| jquery.js:2:17:2:40 | documen ... .search |
68+
| jquery.js:2:17:2:40 | documen ... .search |
6869
| jquery.js:7:5:7:34 | "<div i ... + "\\">" |
6970
| jquery.js:7:5:7:34 | "<div i ... + "\\">" |
7071
| jquery.js:7:20:7:26 | tainted |
@@ -223,9 +224,12 @@ nodes
223224
| tst3.js:10:38:10:43 | data.p |
224225
| tst3.js:10:38:10:43 | data.p |
225226
| tst.js:2:7:2:39 | target |
227+
| tst.js:2:7:2:39 | target |
226228
| tst.js:2:16:2:32 | document.location |
227229
| tst.js:2:16:2:32 | document.location |
228230
| tst.js:2:16:2:39 | documen ... .search |
231+
| tst.js:2:16:2:39 | documen ... .search |
232+
| tst.js:2:16:2:39 | documen ... .search |
229233
| tst.js:5:18:5:23 | target |
230234
| tst.js:5:18:5:23 | target |
231235
| tst.js:8:18:8:126 | "<OPTIO ... PTION>" |
@@ -444,6 +448,7 @@ nodes
444448
| tst.js:332:18:332:35 | params.get('name') |
445449
| tst.js:341:20:341:36 | document.location |
446450
| tst.js:341:20:341:36 | document.location |
451+
| tst.js:343:5:343:17 | getUrl().hash |
447452
| tst.js:343:5:343:30 | getUrl( ... ring(1) |
448453
| tst.js:343:5:343:30 | getUrl( ... ring(1) |
449454
| tst.js:348:7:348:39 | target |
@@ -495,18 +500,22 @@ nodes
495500
| tst.js:416:7:416:46 | payload |
496501
| tst.js:416:17:416:31 | window.location |
497502
| tst.js:416:17:416:31 | window.location |
503+
| tst.js:416:17:416:36 | window.location.hash |
498504
| tst.js:416:17:416:46 | window. ... bstr(1) |
499505
| tst.js:417:18:417:24 | payload |
500506
| tst.js:417:18:417:24 | payload |
501507
| tst.js:419:7:419:55 | match |
502508
| tst.js:419:15:419:29 | window.location |
503509
| tst.js:419:15:419:29 | window.location |
510+
| tst.js:419:15:419:34 | window.location.hash |
504511
| tst.js:419:15:419:55 | window. ... (\\w+)/) |
505512
| tst.js:421:20:421:24 | match |
506513
| tst.js:421:20:421:27 | match[1] |
507514
| tst.js:421:20:421:27 | match[1] |
508515
| tst.js:424:18:424:32 | window.location |
509516
| tst.js:424:18:424:32 | window.location |
517+
| tst.js:424:18:424:37 | window.location.hash |
518+
| tst.js:424:18:424:48 | window. ... it('#') |
510519
| tst.js:424:18:424:51 | window. ... '#')[1] |
511520
| tst.js:424:18:424:51 | window. ... '#')[1] |
512521
| typeahead.js:20:13:20:45 | target |
@@ -574,11 +583,17 @@ edges
574583
| angular2-client.ts:41:44:41:76 | routeSn ... ('foo') | angular2-client.ts:41:44:41:76 | routeSn ... ('foo') |
575584
| jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
576585
| jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
586+
| exception-xss.js:2:6:2:28 | foo | exception-xss.js:86:17:86:19 | foo |
587+
| exception-xss.js:2:6:2:28 | foo | exception-xss.js:86:17:86:19 | foo |
588+
| exception-xss.js:2:12:2:28 | document.location | exception-xss.js:2:6:2:28 | foo |
589+
| exception-xss.js:2:12:2:28 | document.location | exception-xss.js:2:6:2:28 | foo |
577590
| jquery.js:2:7:2:40 | tainted | jquery.js:7:20:7:26 | tainted |
578591
| jquery.js:2:7:2:40 | tainted | jquery.js:8:28:8:34 | tainted |
579592
| jquery.js:2:17:2:33 | document.location | jquery.js:2:17:2:40 | documen ... .search |
580593
| jquery.js:2:17:2:33 | document.location | jquery.js:2:17:2:40 | documen ... .search |
581594
| jquery.js:2:17:2:40 | documen ... .search | jquery.js:2:7:2:40 | tainted |
595+
| jquery.js:2:17:2:40 | documen ... .search | jquery.js:2:7:2:40 | tainted |
596+
| jquery.js:2:17:2:40 | documen ... .search | jquery.js:2:7:2:40 | tainted |
582597
| jquery.js:7:20:7:26 | tainted | jquery.js:7:5:7:34 | "<div i ... + "\\">" |
583598
| jquery.js:7:20:7:26 | tainted | jquery.js:7:5:7:34 | "<div i ... + "\\">" |
584599
| jquery.js:8:28:8:34 | tainted | jquery.js:8:18:8:34 | "XSS: " + tainted |
@@ -731,6 +746,8 @@ edges
731746
| tst.js:2:16:2:32 | document.location | tst.js:2:16:2:39 | documen ... .search |
732747
| tst.js:2:16:2:32 | document.location | tst.js:2:16:2:39 | documen ... .search |
733748
| tst.js:2:16:2:39 | documen ... .search | tst.js:2:7:2:39 | target |
749+
| tst.js:2:16:2:39 | documen ... .search | tst.js:2:7:2:39 | target |
750+
| tst.js:2:16:2:39 | documen ... .search | tst.js:2:7:2:39 | target |
734751
| tst.js:8:37:8:53 | document.location | tst.js:8:37:8:58 | documen ... on.href |
735752
| tst.js:8:37:8:53 | document.location | tst.js:8:37:8:58 | documen ... on.href |
736753
| tst.js:8:37:8:58 | documen ... on.href | tst.js:8:37:8:114 | documen ... t=")+8) |
@@ -916,10 +933,10 @@ edges
916933
| tst.js:327:18:327:34 | document.location | tst.js:332:18:332:35 | params.get('name') |
917934
| tst.js:327:18:327:34 | document.location | tst.js:332:18:332:35 | params.get('name') |
918935
| tst.js:327:18:327:34 | document.location | tst.js:332:18:332:35 | params.get('name') |
919-
| tst.js:341:20:341:36 | document.location | tst.js:343:5:343:30 | getUrl( ... ring(1) |
920-
| tst.js:341:20:341:36 | document.location | tst.js:343:5:343:30 | getUrl( ... ring(1) |
921-
| tst.js:341:20:341:36 | document.location | tst.js:343:5:343:30 | getUrl( ... ring(1) |
922-
| tst.js:341:20:341:36 | document.location | tst.js:343:5:343:30 | getUrl( ... ring(1) |
936+
| tst.js:341:20:341:36 | document.location | tst.js:343:5:343:17 | getUrl().hash |
937+
| tst.js:341:20:341:36 | document.location | tst.js:343:5:343:17 | getUrl().hash |
938+
| tst.js:343:5:343:17 | getUrl().hash | tst.js:343:5:343:30 | getUrl( ... ring(1) |
939+
| tst.js:343:5:343:17 | getUrl().hash | tst.js:343:5:343:30 | getUrl( ... ring(1) |
923940
| tst.js:348:7:348:39 | target | tst.js:349:12:349:17 | target |
924941
| tst.js:348:7:348:39 | target | tst.js:349:12:349:17 | target |
925942
| tst.js:348:16:348:32 | document.location | tst.js:348:16:348:39 | documen ... .search |
@@ -964,19 +981,22 @@ edges
964981
| tst.js:408:19:408:31 | target.taint8 | tst.js:409:18:409:30 | target.taint8 |
965982
| tst.js:416:7:416:46 | payload | tst.js:417:18:417:24 | payload |
966983
| tst.js:416:7:416:46 | payload | tst.js:417:18:417:24 | payload |
967-
| tst.js:416:17:416:31 | window.location | tst.js:416:17:416:46 | window. ... bstr(1) |
968-
| tst.js:416:17:416:31 | window.location | tst.js:416:17:416:46 | window. ... bstr(1) |
984+
| tst.js:416:17:416:31 | window.location | tst.js:416:17:416:36 | window.location.hash |
985+
| tst.js:416:17:416:31 | window.location | tst.js:416:17:416:36 | window.location.hash |
986+
| tst.js:416:17:416:36 | window.location.hash | tst.js:416:17:416:46 | window. ... bstr(1) |
969987
| tst.js:416:17:416:46 | window. ... bstr(1) | tst.js:416:7:416:46 | payload |
970988
| tst.js:419:7:419:55 | match | tst.js:421:20:421:24 | match |
971-
| tst.js:419:15:419:29 | window.location | tst.js:419:15:419:55 | window. ... (\\w+)/) |
972-
| tst.js:419:15:419:29 | window.location | tst.js:419:15:419:55 | window. ... (\\w+)/) |
989+
| tst.js:419:15:419:29 | window.location | tst.js:419:15:419:34 | window.location.hash |
990+
| tst.js:419:15:419:29 | window.location | tst.js:419:15:419:34 | window.location.hash |
991+
| tst.js:419:15:419:34 | window.location.hash | tst.js:419:15:419:55 | window. ... (\\w+)/) |
973992
| tst.js:419:15:419:55 | window. ... (\\w+)/) | tst.js:419:7:419:55 | match |
974993
| tst.js:421:20:421:24 | match | tst.js:421:20:421:27 | match[1] |
975994
| tst.js:421:20:421:24 | match | tst.js:421:20:421:27 | match[1] |
976-
| tst.js:424:18:424:32 | window.location | tst.js:424:18:424:51 | window. ... '#')[1] |
977-
| tst.js:424:18:424:32 | window.location | tst.js:424:18:424:51 | window. ... '#')[1] |
978-
| tst.js:424:18:424:32 | window.location | tst.js:424:18:424:51 | window. ... '#')[1] |
979-
| tst.js:424:18:424:32 | window.location | tst.js:424:18:424:51 | window. ... '#')[1] |
995+
| tst.js:424:18:424:32 | window.location | tst.js:424:18:424:37 | window.location.hash |
996+
| tst.js:424:18:424:32 | window.location | tst.js:424:18:424:37 | window.location.hash |
997+
| tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:48 | window. ... it('#') |
998+
| tst.js:424:18:424:48 | window. ... it('#') | tst.js:424:18:424:51 | window. ... '#')[1] |
999+
| tst.js:424:18:424:48 | window. ... it('#') | tst.js:424:18:424:51 | window. ... '#')[1] |
9801000
| typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target |
9811001
| typeahead.js:20:22:20:38 | document.location | typeahead.js:20:22:20:45 | documen ... .search |
9821002
| typeahead.js:20:22:20:38 | document.location | typeahead.js:20:22:20:45 | documen ... .search |
@@ -1013,18 +1033,20 @@ edges
10131033
| angular2-client.ts:35:44:35:91 | this.ro ... arams.x | angular2-client.ts:35:44:35:89 | this.ro ... .params | angular2-client.ts:35:44:35:91 | this.ro ... arams.x | Cross-site scripting vulnerability due to $@. | angular2-client.ts:35:44:35:89 | this.ro ... .params | user-provided value |
10141034
| angular2-client.ts:37:44:37:58 | this.router.url | angular2-client.ts:37:44:37:58 | this.router.url | angular2-client.ts:37:44:37:58 | this.router.url | Cross-site scripting vulnerability due to $@. | angular2-client.ts:37:44:37:58 | this.router.url | user-provided value |
10151035
| angular2-client.ts:41:44:41:76 | routeSn ... ('foo') | angular2-client.ts:41:44:41:76 | routeSn ... ('foo') | angular2-client.ts:41:44:41:76 | routeSn ... ('foo') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:41:44:41:76 | routeSn ... ('foo') | user-provided value |
1036+
| exception-xss.js:86:17:86:19 | foo | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:86:17:86:19 | foo | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:12:2:28 | document.location | user-provided value |
10161037
| jquery.js:4:5:4:11 | tainted | jquery.js:2:17:2:33 | document.location | jquery.js:4:5:4:11 | tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
10171038
| jquery.js:7:5:7:34 | "<div i ... + "\\">" | jquery.js:2:17:2:33 | document.location | jquery.js:7:5:7:34 | "<div i ... + "\\">" | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
1039+
| jquery.js:7:5:7:34 | "<div i ... + "\\">" | jquery.js:2:17:2:40 | documen ... .search | jquery.js:7:5:7:34 | "<div i ... + "\\">" | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value |
10181040
| jquery.js:8:18:8:34 | "XSS: " + tainted | jquery.js:2:17:2:33 | document.location | jquery.js:8:18:8:34 | "XSS: " + tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
10191041
| nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | HTML injection vulnerability due to $@. | nodemailer.js:13:50:13:66 | req.query.message | user-provided value |
1020-
| optionalSanitizer.js:6:18:6:23 | target | optionalSanitizer.js:2:16:2:32 | document.location | optionalSanitizer.js:6:18:6:23 | target | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:32 | document.location | user-provided value |
1021-
| optionalSanitizer.js:9:18:9:24 | tainted | optionalSanitizer.js:2:16:2:32 | document.location | optionalSanitizer.js:9:18:9:24 | tainted | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:32 | document.location | user-provided value |
10221042
| optionalSanitizer.js:17:20:17:20 | x | optionalSanitizer.js:2:16:2:32 | document.location | optionalSanitizer.js:17:20:17:20 | x | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:32 | document.location | user-provided value |
10231043
| optionalSanitizer.js:32:18:32:25 | tainted2 | optionalSanitizer.js:26:16:26:32 | document.location | optionalSanitizer.js:32:18:32:25 | tainted2 | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:32 | document.location | user-provided value |
10241044
| optionalSanitizer.js:36:18:36:25 | tainted2 | optionalSanitizer.js:26:16:26:32 | document.location | optionalSanitizer.js:36:18:36:25 | tainted2 | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:32 | document.location | user-provided value |
10251045
| optionalSanitizer.js:39:18:39:25 | tainted3 | optionalSanitizer.js:26:16:26:32 | document.location | optionalSanitizer.js:39:18:39:25 | tainted3 | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:32 | document.location | user-provided value |
10261046
| optionalSanitizer.js:43:18:43:25 | tainted3 | optionalSanitizer.js:26:16:26:32 | document.location | optionalSanitizer.js:43:18:43:25 | tainted3 | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:32 | document.location | user-provided value |
10271047
| optionalSanitizer.js:45:18:45:56 | sanitiz ... target | optionalSanitizer.js:26:16:26:32 | document.location | optionalSanitizer.js:45:18:45:56 | sanitiz ... target | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:32 | document.location | user-provided value |
1048+
| optionalSanitizer.js:6:18:6:23 | target | optionalSanitizer.js:2:16:2:32 | document.location | optionalSanitizer.js:6:18:6:23 | target | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:32 | document.location | user-provided value |
1049+
| optionalSanitizer.js:9:18:9:24 | tainted | optionalSanitizer.js:2:16:2:32 | document.location | optionalSanitizer.js:9:18:9:24 | tainted | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:32 | document.location | user-provided value |
10281050
| react-native.js:8:18:8:24 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:18:8:24 | tainted | Cross-site scripting vulnerability due to $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
10291051
| react-native.js:9:27:9:33 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:9:27:9:33 | tainted | Cross-site scripting vulnerability due to $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
10301052
| sanitiser.js:23:21:23:44 | '<b>' + ... '</b>' | sanitiser.js:16:17:16:27 | window.name | sanitiser.js:23:21:23:44 | '<b>' + ... '</b>' | Cross-site scripting vulnerability due to $@. | sanitiser.js:16:17:16:27 | window.name | user-provided value |
@@ -1051,7 +1073,7 @@ edges
10511073
| tst3.js:10:38:10:43 | data.p | tst3.js:2:42:2:56 | window.location | tst3.js:10:38:10:43 | data.p | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:56 | window.location | user-provided value |
10521074
| tst.js:5:18:5:23 | target | tst.js:2:16:2:32 | document.location | tst.js:5:18:5:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:32 | document.location | user-provided value |
10531075
| tst.js:8:18:8:126 | "<OPTIO ... PTION>" | tst.js:8:37:8:53 | document.location | tst.js:8:18:8:126 | "<OPTIO ... PTION>" | Cross-site scripting vulnerability due to $@. | tst.js:8:37:8:53 | document.location | user-provided value |
1054-
| tst.js:12:5:12:42 | '<div s ... 'px">' | tst.js:2:16:2:32 | document.location | tst.js:12:5:12:42 | '<div s ... 'px">' | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:32 | document.location | user-provided value |
1076+
| tst.js:12:5:12:42 | '<div s ... 'px">' | tst.js:2:16:2:39 | documen ... .search | tst.js:12:5:12:42 | '<div s ... 'px">' | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:39 | documen ... .search | user-provided value |
10551077
| tst.js:18:18:18:35 | params.get('name') | tst.js:17:25:17:41 | document.location | tst.js:18:18:18:35 | params.get('name') | Cross-site scripting vulnerability due to $@. | tst.js:17:25:17:41 | document.location | user-provided value |
10561078
| tst.js:21:18:21:41 | searchP ... 'name') | tst.js:2:16:2:32 | document.location | tst.js:21:18:21:41 | searchP ... 'name') | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:32 | document.location | user-provided value |
10571079
| tst.js:26:18:26:23 | target | tst.js:28:5:28:21 | document.location | tst.js:26:18:26:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:28:5:28:21 | document.location | user-provided value |

0 commit comments

Comments
 (0)