Skip to content

Commit 7e6fa7b

Browse files
codeql-cicodeql-ci
authored
Merge pull request #4392 from erik-krogh/flask
Approved by asgerf
2 parents 3c41548 + d6dc4bb commit 7e6fa7b

File tree

2 files changed

+8
-1
lines changed

2 files changed

+8
-1
lines changed

javascript/ql/src/DOM/TargetBlank.ql

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,9 @@ predicate hasDynamicHrefHostAttributeValue(DOM::ElementDefinition elem) {
3131
// fixed string with templating
3232
url.regexpMatch(Templating::getDelimiterMatchingRegexpWithPrefix("[^?#]*")) and
3333
// ... that does not start with a fixed host or a relative path (common formats)
34-
not url.regexpMatch("(?i)((https?:)?//)?[-a-z0-9.]*/.*")
34+
not url.regexpMatch("(?i)((https?:)?//)?[-a-z0-9.]*/.*") and
35+
// .. that is not a call to `url_for` in a Flask application
36+
not url.regexpMatch("\\{\\{\\s*url_for.*")
3537
)
3638
)
3739
}

javascript/ql/test/query-tests/DOM/TargetBlank/tst.js

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,3 +58,8 @@ function f() {
5858
<a href="index.html/{{X}}" target="_blank">Example</a>;
5959
<a href="../index.html/{{X}}" target="_blank">Example</a>;
6060
<a href="/{{X}}" target="_blank">Example</a>;
61+
62+
// OK, Flask application with internal links
63+
<a href="{{url_for('foo.html', 'foo')}}" target="_blank">Example</a>;
64+
<a href="{{ url_for('foo.html', 'foo')}}" target="_blank">Example</a>;
65+
<a href="{{ url_for('foo.html', 'foo')}}" target="_blank">Example</a>;

0 commit comments

Comments
 (0)