Skip to content

Commit da2f77d

Browse files
yoffyoff
committed
javascript: remove sanitizer to be replaced by model
1 parent 3dbfb9f commit da2f77d

File tree

2 files changed

+7
-10
lines changed

2 files changed

+7
-10
lines changed

javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll

Lines changed: 0 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -100,14 +100,4 @@ module IncompleteHtmlAttributeSanitization {
100100
result = this.getQuote()
101101
}
102102
}
103-
104-
/**
105-
* An encoder for potentially malicious characters, as a sanitizer
106-
* for incomplete HTML sanitization vulnerabilities.
107-
*/
108-
class EncodingSanitizer extends Sanitizer {
109-
EncodingSanitizer() {
110-
this = DataFlow::globalVarRef(["encodeURIComponent", "encodeURI"]).getACall()
111-
}
112-
}
113103
}

javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteHtmlAttributeSanitization.expected

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,13 +6,15 @@
66
| tst.js:253:21:253:45 | s().rep ... /g, '') | tst.js:253:21:253:45 | s().rep ... /g, '') | tst.js:253:21:253:45 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain ampersands or double quotes when it reaches this attribute definition. | tst.js:253:21:253:45 | s().rep ... /g, '') | this final HTML sanitizer step |
77
| tst.js:254:32:254:56 | s().rep ... /g, '') | tst.js:254:32:254:56 | s().rep ... /g, '') | tst.js:254:32:254:56 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain ampersands or double quotes when it reaches this attribute definition. | tst.js:254:32:254:56 | s().rep ... /g, '') | this final HTML sanitizer step |
88
| tst.js:270:61:270:85 | s().rep ... /g, '') | tst.js:270:61:270:85 | s().rep ... /g, '') | tst.js:270:61:270:85 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain ampersands or double quotes when it reaches this attribute definition. | tst.js:270:61:270:85 | s().rep ... /g, '') | this final HTML sanitizer step |
9+
| tst.js:272:9:272:51 | encodeU ... /g,'')) | tst.js:272:28:272:50 | s().rep ... ]/g,'') | tst.js:272:9:272:51 | encodeU ... /g,'')) | Cross-site scripting vulnerability as the output of $@ may contain double quotes when it reaches this attribute definition. | tst.js:272:28:272:50 | s().rep ... ]/g,'') | this final HTML sanitizer step |
910
| tst.js:275:9:275:21 | arr.join(" ") | tst.js:274:12:274:94 | s().val ... g , '') | tst.js:275:9:275:21 | arr.join(" ") | Cross-site scripting vulnerability as the output of $@ may contain double quotes when it reaches this attribute definition. | tst.js:274:12:274:94 | s().val ... g , '') | this final HTML sanitizer step |
1011
| tst.js:300:10:300:33 | s().rep ... ]/g,'') | tst.js:300:10:300:33 | s().rep ... ]/g,'') | tst.js:300:10:300:33 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:300:10:300:33 | s().rep ... ]/g,'') | this final HTML sanitizer step |
1112
| tst.js:301:10:301:32 | s().rep ... ]/g,'') | tst.js:301:10:301:32 | s().rep ... ]/g,'') | tst.js:301:10:301:32 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:301:10:301:32 | s().rep ... ]/g,'') | this final HTML sanitizer step |
1213
| tst.js:302:10:302:34 | s().rep ... ]/g,'') | tst.js:302:10:302:34 | s().rep ... ]/g,'') | tst.js:302:10:302:34 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:302:10:302:34 | s().rep ... ]/g,'') | this final HTML sanitizer step |
1314
| tst.js:303:10:303:34 | s().rep ... /g, '') | tst.js:303:10:303:34 | s().rep ... /g, '') | tst.js:303:10:303:34 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:303:10:303:34 | s().rep ... /g, '') | this final HTML sanitizer step |
1415
| tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | this final HTML sanitizer step |
1516
edges
17+
| tst.js:272:28:272:50 | s().rep ... ]/g,'') | tst.js:272:9:272:51 | encodeU ... /g,'')) | provenance | |
1618
| tst.js:274:6:274:8 | arr | tst.js:275:9:275:11 | arr | provenance | |
1719
| tst.js:274:12:274:94 | s().val ... g , '') | tst.js:274:6:274:8 | arr | provenance | |
1820
| tst.js:275:9:275:11 | arr | tst.js:275:9:275:21 | arr.join(" ") | provenance | |
@@ -24,6 +26,8 @@ nodes
2426
| tst.js:253:21:253:45 | s().rep ... /g, '') | semmle.label | s().rep ... /g, '') |
2527
| tst.js:254:32:254:56 | s().rep ... /g, '') | semmle.label | s().rep ... /g, '') |
2628
| tst.js:270:61:270:85 | s().rep ... /g, '') | semmle.label | s().rep ... /g, '') |
29+
| tst.js:272:9:272:51 | encodeU ... /g,'')) | semmle.label | encodeU ... /g,'')) |
30+
| tst.js:272:28:272:50 | s().rep ... ]/g,'') | semmle.label | s().rep ... ]/g,'') |
2731
| tst.js:274:6:274:8 | arr | semmle.label | arr |
2832
| tst.js:274:12:274:94 | s().val ... g , '') | semmle.label | s().val ... g , '') |
2933
| tst.js:275:9:275:11 | arr | semmle.label | arr |
@@ -34,3 +38,6 @@ nodes
3438
| tst.js:303:10:303:34 | s().rep ... /g, '') | semmle.label | s().rep ... /g, '') |
3539
| tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | semmle.label | s().rep ... ;";\\n\\t}) |
3640
subpaths
41+
testFailures
42+
| tst.js:272:9:272:51 | encodeU ... /g,'')) | Unexpected result: Alert |
43+
| tst.js:272:28:272:50 | s().rep ... ]/g,'') | Unexpected result: Alert |

0 commit comments

Comments
 (0)