Detect Django template URLs

rafaelurben · web-flow · commit 286e3951bf12 · 2023-11-28T22:22:07.000+01:00
Django URLs are currently not detected, but flask and nunjucks URL are. (See #12267)
diff --git a/javascript/ql/src/DOM/TargetBlank.ql b/javascript/ql/src/DOM/TargetBlank.ql
@@ -44,7 +44,9 @@ predicate hasDynamicHrefHostAttributeValue(DOM::ElementDefinition elem) {
       // ... that does not start with a fixed host or a relative path (common formats)
       not url.regexpMatch("(?i)((https?:)?//)?[-a-z0-9.]*/.*") and
       // .. that is not a call to `url_for` in a Flask / nunjucks application
-      not url.regexpMatch("\\{\\{\\s*url(_for)?\\(.+\\).*")
+      not url.regexpMatch("\\{\\{\\s*url(_for)?\\(.+\\).*") and
+      // .. that is not a call to `url` in a Django application
+      not url.regexpMatch("\\{%\\s*url.*")
     )
   )
 }

Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,9 @@ predicate hasDynamicHrefHostAttributeValue(DOM::ElementDefinition elem) {`
`44`	`44`	`// ... that does not start with a fixed host or a relative path (common formats)`
`45`	`45`	`not url.regexpMatch("(?i)((https?:)?//)?[-a-z0-9.]/.") and`
`46`	`46`	// .. that is not a call to `url_for` in a Flask / nunjucks application
`47`		`- not url.regexpMatch("\\{\\{\\surl(_for)?\\(.+\\).")`
	`47`	`+ not url.regexpMatch("\\{\\{\\surl(_for)?\\(.+\\).") and`
	`48`	+ // .. that is not a call to `url` in a Django application
	`49`	`+ not url.regexpMatch("\\{%\\surl.")`
`48`	`50`	`)`
`49`	`51`	`)`
`50`	`52`	`}`