File tree Expand file tree Collapse file tree 2 files changed +4
-3
lines changed
python/ql/src/experimental
semmle/python/security/injection Expand file tree Collapse file tree 2 files changed +4
-3
lines changed Original file line number Diff line number Diff line change 77 </overview >
88 <recommendation >
99 <p >
10- This vulnerability can be prevented by not allowing untrusted user input to be passed as a XSL stylesheet.
10+ This vulnerability can be prevented by not allowing untrusted user input to be passed as an XSL stylesheet.
1111 If the application logic necessiates processing untrusted XSL stylesheets, the input should be properly filtered and sanitized before use.
1212 </p >
1313 </recommendation >
Original file line number Diff line number Diff line change @@ -41,22 +41,23 @@ module XSLTInjection {
4141 }
4242
4343 private predicate etreeXML ( ControlFlowNode fromnode , CallNode tonode ) {
44+ // etree.XML("<xmlContent>")
4445 exists ( CallNode call | call .getFunction ( ) .( AttrNode ) .getObject ( "XML" ) .pointsTo ( etree ( ) ) |
4546 call .getArg ( 0 ) = fromnode and
4647 call = tonode
4748 )
4849 }
4950
5051 private predicate etreeFromString ( ControlFlowNode fromnode , CallNode tonode ) {
51- // fromstring(text, parser=None)
52+ // etree. fromstring(text, parser=None)
5253 exists ( CallNode call | call .getFunction ( ) .( AttrNode ) .getObject ( "fromstring" ) .pointsTo ( etree ( ) ) |
5354 call .getArg ( 0 ) = fromnode and
5455 call = tonode
5556 )
5657 }
5758
5859 private predicate etreeFromStringList ( ControlFlowNode fromnode , CallNode tonode ) {
59- // fromstringlist(strings, parser=None)
60+ // etree. fromstringlist(strings, parser=None)
6061 exists ( CallNode call |
6162 call .getFunction ( ) .( AttrNode ) .getObject ( "fromstringlist" ) .pointsTo ( etree ( ) )
6263 |
You can’t perform that action at this time.
0 commit comments