Added escape as UriEncodingSanitizer

Napalys · Napalys · commit 4a691b778bb5 · 2025-03-14T14:53:21.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/Xss.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/Xss.qll
@@ -53,7 +53,7 @@ module Shared {
   class UriEncodingSanitizer extends Sanitizer, DataFlow::CallNode {
     UriEncodingSanitizer() {
       exists(string name | this = DataFlow::globalVarRef(name).getACall() |
-        name = "encodeURI" or name = "encodeURIComponent"
+        name in ["encodeURI", "encodeURIComponent", "escape"]
       )
     }
   }
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
@@ -120,8 +120,6 @@
 | string-manipulations.js:8:16:8:48 | documen ... mLeft() | string-manipulations.js:8:16:8:37 | documen ... on.href | string-manipulations.js:8:16:8:48 | documen ... mLeft() | Cross-site scripting vulnerability due to $@. | string-manipulations.js:8:16:8:37 | documen ... on.href | user-provided value |
 | string-manipulations.js:9:16:9:58 | String. ... n.href) | string-manipulations.js:9:36:9:57 | documen ... on.href | string-manipulations.js:9:16:9:58 | String. ... n.href) | Cross-site scripting vulnerability due to $@. | string-manipulations.js:9:36:9:57 | documen ... on.href | user-provided value |
 | string-manipulations.js:10:16:10:45 | String( ... n.href) | string-manipulations.js:10:23:10:44 | documen ... on.href | string-manipulations.js:10:16:10:45 | String( ... n.href) | Cross-site scripting vulnerability due to $@. | string-manipulations.js:10:23:10:44 | documen ... on.href | user-provided value |
-| string-manipulations.js:11:16:11:45 | escape( ... n.href) | string-manipulations.js:11:23:11:44 | documen ... on.href | string-manipulations.js:11:16:11:45 | escape( ... n.href) | Cross-site scripting vulnerability due to $@. | string-manipulations.js:11:23:11:44 | documen ... on.href | user-provided value |
-| string-manipulations.js:12:16:12:61 | escape( ... href))) | string-manipulations.js:12:37:12:58 | documen ... on.href | string-manipulations.js:12:16:12:61 | escape( ... href))) | Cross-site scripting vulnerability due to $@. | string-manipulations.js:12:37:12:58 | documen ... on.href | user-provided value |
 | tainted-url-suffix-arguments.js:6:22:6:22 | y | tainted-url-suffix-arguments.js:11:17:11:36 | window.location.href | tainted-url-suffix-arguments.js:6:22:6:22 | y | Cross-site scripting vulnerability due to $@. | tainted-url-suffix-arguments.js:11:17:11:36 | window.location.href | user-provided value |
 | tooltip.jsx:10:25:10:30 | source | tooltip.jsx:6:20:6:30 | window.name | tooltip.jsx:10:25:10:30 | source | Cross-site scripting vulnerability due to $@. | tooltip.jsx:6:20:6:30 | window.name | user-provided value |
 | tooltip.jsx:11:25:11:30 | source | tooltip.jsx:6:20:6:30 | window.name | tooltip.jsx:11:25:11:30 | source | Cross-site scripting vulnerability due to $@. | tooltip.jsx:6:20:6:30 | window.name | user-provided value |
@@ -492,10 +490,6 @@ edges
 | string-manipulations.js:8:16:8:37 | documen ... on.href | string-manipulations.js:8:16:8:48 | documen ... mLeft() | provenance |  |
 | string-manipulations.js:9:36:9:57 | documen ... on.href | string-manipulations.js:9:16:9:58 | String. ... n.href) | provenance |  |
 | string-manipulations.js:10:23:10:44 | documen ... on.href | string-manipulations.js:10:16:10:45 | String( ... n.href) | provenance |  |
-| string-manipulations.js:11:23:11:44 | documen ... on.href | string-manipulations.js:11:16:11:45 | escape( ... n.href) | provenance |  |
-| string-manipulations.js:12:23:12:60 | escape( ... .href)) | string-manipulations.js:12:16:12:61 | escape( ... href))) | provenance |  |
-| string-manipulations.js:12:30:12:59 | escape( ... n.href) | string-manipulations.js:12:23:12:60 | escape( ... .href)) | provenance |  |
-| string-manipulations.js:12:37:12:58 | documen ... on.href | string-manipulations.js:12:30:12:59 | escape( ... n.href) | provenance |  |
 | tainted-url-suffix-arguments.js:3:17:3:17 | y | tainted-url-suffix-arguments.js:6:22:6:22 | y | provenance |  |
 | tainted-url-suffix-arguments.js:11:11:11:36 | url | tainted-url-suffix-arguments.js:12:17:12:19 | url | provenance |  |
 | tainted-url-suffix-arguments.js:11:17:11:36 | window.location.href | tainted-url-suffix-arguments.js:11:11:11:36 | url | provenance |  |
@@ -1122,12 +1116,6 @@ nodes
 | string-manipulations.js:9:36:9:57 | documen ... on.href | semmle.label | documen ... on.href |
 | string-manipulations.js:10:16:10:45 | String( ... n.href) | semmle.label | String( ... n.href) |
 | string-manipulations.js:10:23:10:44 | documen ... on.href | semmle.label | documen ... on.href |
-| string-manipulations.js:11:16:11:45 | escape( ... n.href) | semmle.label | escape( ... n.href) |
-| string-manipulations.js:11:23:11:44 | documen ... on.href | semmle.label | documen ... on.href |
-| string-manipulations.js:12:16:12:61 | escape( ... href))) | semmle.label | escape( ... href))) |
-| string-manipulations.js:12:23:12:60 | escape( ... .href)) | semmle.label | escape( ... .href)) |
-| string-manipulations.js:12:30:12:59 | escape( ... n.href) | semmle.label | escape( ... n.href) |
-| string-manipulations.js:12:37:12:58 | documen ... on.href | semmle.label | documen ... on.href |
 | tainted-url-suffix-arguments.js:3:17:3:17 | y | semmle.label | y |
 | tainted-url-suffix-arguments.js:6:22:6:22 | y | semmle.label | y |
 | tainted-url-suffix-arguments.js:11:11:11:36 | url | semmle.label | url |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
@@ -322,12 +322,6 @@ nodes
 | string-manipulations.js:9:36:9:57 | documen ... on.href | semmle.label | documen ... on.href |
 | string-manipulations.js:10:16:10:45 | String( ... n.href) | semmle.label | String( ... n.href) |
 | string-manipulations.js:10:23:10:44 | documen ... on.href | semmle.label | documen ... on.href |
-| string-manipulations.js:11:16:11:45 | escape( ... n.href) | semmle.label | escape( ... n.href) |
-| string-manipulations.js:11:23:11:44 | documen ... on.href | semmle.label | documen ... on.href |
-| string-manipulations.js:12:16:12:61 | escape( ... href))) | semmle.label | escape( ... href))) |
-| string-manipulations.js:12:23:12:60 | escape( ... .href)) | semmle.label | escape( ... .href)) |
-| string-manipulations.js:12:30:12:59 | escape( ... n.href) | semmle.label | escape( ... n.href) |
-| string-manipulations.js:12:37:12:58 | documen ... on.href | semmle.label | documen ... on.href |
 | tainted-url-suffix-arguments.js:3:17:3:17 | y | semmle.label | y |
 | tainted-url-suffix-arguments.js:6:22:6:22 | y | semmle.label | y |
 | tainted-url-suffix-arguments.js:11:11:11:36 | url | semmle.label | url |
@@ -940,10 +934,6 @@ edges
 | string-manipulations.js:8:16:8:37 | documen ... on.href | string-manipulations.js:8:16:8:48 | documen ... mLeft() | provenance |  |
 | string-manipulations.js:9:36:9:57 | documen ... on.href | string-manipulations.js:9:16:9:58 | String. ... n.href) | provenance |  |
 | string-manipulations.js:10:23:10:44 | documen ... on.href | string-manipulations.js:10:16:10:45 | String( ... n.href) | provenance |  |
-| string-manipulations.js:11:23:11:44 | documen ... on.href | string-manipulations.js:11:16:11:45 | escape( ... n.href) | provenance |  |
-| string-manipulations.js:12:23:12:60 | escape( ... .href)) | string-manipulations.js:12:16:12:61 | escape( ... href))) | provenance |  |
-| string-manipulations.js:12:30:12:59 | escape( ... n.href) | string-manipulations.js:12:23:12:60 | escape( ... .href)) | provenance |  |
-| string-manipulations.js:12:37:12:58 | documen ... on.href | string-manipulations.js:12:30:12:59 | escape( ... n.href) | provenance |  |
 | tainted-url-suffix-arguments.js:3:17:3:17 | y | tainted-url-suffix-arguments.js:6:22:6:22 | y | provenance |  |
 | tainted-url-suffix-arguments.js:11:11:11:36 | url | tainted-url-suffix-arguments.js:12:17:12:19 | url | provenance |  |
 | tainted-url-suffix-arguments.js:11:17:11:36 | window.location.href | tainted-url-suffix-arguments.js:11:11:11:36 | url | provenance |  |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/string-manipulations.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/string-manipulations.js
@@ -8,5 +8,5 @@ document.write(document.location.href.toUpperCase()); // $ Alert
 document.write(document.location.href.trimLeft()); // $ Alert
 document.write(String.fromCharCode(document.location.href)); // $ Alert
 document.write(String(document.location.href)); // $ Alert
-document.write(escape(document.location.href)); // $ SPURIOUS: Alert
-document.write(escape(escape(escape(document.location.href)))); // $ SPURIOUS: Alert
+document.write(escape(document.location.href));
+document.write(escape(escape(escape(document.location.href))));

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ module Shared {`
`53`	`53`	`class UriEncodingSanitizer extends Sanitizer, DataFlow::CallNode {`
`54`	`54`	`UriEncodingSanitizer() {`
`55`	`55`	`exists(string name \| this = DataFlow::globalVarRef(name).getACall() \|`
`56`		`- name = "encodeURI" or name = "encodeURIComponent"`
	`56`	`+ name in ["encodeURI", "encodeURIComponent", "escape"]`
`57`	`57`	`)`
`58`	`58`	`}`
`59`	`59`	`}`