@@ -8,9 +8,9 @@ def ensure_not_tainted(*args):
88 print ("ensure_not_tainted" )
99 for x in args : print (" " , x )
1010
11- # these contain `{}` so we can use .format
12- TAINTED_STRING = '<"TAINTED_STRING" {}>'
13- SAFE = "SAFE {}"
11+ # these contain `{}` so we can use .format, and `%s` so we can use %-style formatting
12+ TAINTED_STRING = '<"TAINTED_STRING" {} %s >'
13+ SAFE = "SAFE {} %s "
1414
1515def test ():
1616 ts = TAINTED_STRING
@@ -36,9 +36,11 @@ def test():
3636 m_unsafe + SAFE , # $ escapeInput=SAFE escapeKind=html escapeOutput=BinaryExpr MISSING: tainted
3737 SAFE + m_unsafe , # $ escapeInput=SAFE escapeKind=html escapeOutput=BinaryExpr MISSING: tainted
3838 m_unsafe .format (SAFE ), # $ escapeInput=SAFE escapeKind=html escapeOutput=m_unsafe.format(..) MISSING: tainted
39+ m_unsafe % SAFE , # $ tainted MISSING: escapeInput=ts escapeKind=html escapeOutput=BinaryExpr
3940 m_unsafe + ts , # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr MISSING: tainted
4041
4142 m_safe .format (m_unsafe ), # $ tainted
43+ m_safe % m_unsafe , # $ tainted
4244
4345 escape (ts ).unescape (), # $ escapeInput=ts escapeKind=html escapeOutput=escape(..) MISSING: tainted
4446 escape_silent (ts ).unescape (), # $ escapeInput=ts escapeKind=html escapeOutput=escape_silent(..) MISSING: tainted
@@ -54,6 +56,7 @@ def test():
5456 m_safe + ts , # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr
5557 ts + m_safe , # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr
5658 m_safe .format (ts ), # $ escapeInput=ts escapeKind=html escapeOutput=m_safe.format(..)
59+ m_safe % ts , # $ SPURIOUS: tainted MISSING: escapeInput=ts escapeKind=html escapeOutput=BinaryExpr
5760
5861 escape (ts ) + ts , # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr escapeOutput=escape(..)
5962 escape_silent (ts ) + ts , # $ escapeInput=ts escapeKind=html escapeOutput=BinaryExpr escapeOutput=escape_silent(..)
0 commit comments