Merge pull request github#5049 from erik-krogh/singleQuote

codeql-ci · web-flow · commit 209fe8d7e52a · 2021-02-02T13:48:42.000-08:00
Approved by esbena
diff --git a/javascript/ql/src/semmle/javascript/security/IncompleteBlacklistSanitizer.qll b/javascript/ql/src/semmle/javascript/security/IncompleteBlacklistSanitizer.qll
@@ -23,7 +23,9 @@ abstract class IncompleteBlacklistSanitizer extends DataFlow::Node {
  * Describes the characters represented by `rep`.
  */
 string describeCharacters(string rep) {
-  rep = "\"" and result = "quotes"
+  rep = "\"" and result = "double quotes"
+  or
+  rep = "'" and result = "single quotes"
   or
   rep = "&" and result = "ampersands"
   or
@@ -86,6 +88,12 @@ module HtmlSanitization {
       chain.getAReplacementString() = "&#34;"
     )
     or
+    result = "'" and
+    (
+      chain.getAReplacedString() = result or
+      chain.getAReplacementString() = "&#39;"
+    )
+    or
     result = "&" and
     (
       chain.getAReplacedString() = result or
@@ -123,11 +131,7 @@ module HtmlSanitization {
         // replaces `<` and `>`
         getALikelyReplacedCharacter(chain) = "<" and
         getALikelyReplacedCharacter(chain) = ">" and
-        (
-          unsanitized = "\""
-          or
-          unsanitized = "&"
-        )
+        unsanitized = ["\"", "'", "&"]
         or
         // replaces '&' and either `<` or `>`
         getALikelyReplacedCharacter(chain) = "&" and
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitization.qll b/javascript/ql/src/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitization.qll
@@ -14,7 +14,7 @@ module IncompleteHtmlAttributeSanitization {
 
   private module Label {
     class Quote extends DataFlow::FlowLabel {
-      Quote() { this = "\"" }
+      Quote() { this = ["\"", "'"] }
     }
 
     class Ampersand extends DataFlow::FlowLabel {
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll
@@ -49,11 +49,15 @@ module IncompleteHtmlAttributeSanitization {
    */
   class HtmlAttributeConcatenation extends StringOps::ConcatenationLeaf {
     string lhs;
+    string quote;
 
     HtmlAttributeConcatenation() {
-      lhs = this.getPreviousLeaf().getStringValue().regexpCapture("(?s)(.*)=\"[^\"]*", 1) and
+      quote = ["\"", "'"] and
+      exists(string prev | prev = this.getPreviousLeaf().getStringValue() |
+        lhs = prev.regexpCapture("(?s)(.*)=" + quote + "[^" + quote + "=<>]*", 1)
+      ) and
       (
-        this.getNextLeaf().getStringValue().regexpMatch(".*\".*") or
+        this.getNextLeaf().getStringValue().regexpMatch(".*" + quote + ".*") or
         this instanceof StringOps::HtmlConcatenationLeaf
       )
     }
@@ -62,6 +66,11 @@ module IncompleteHtmlAttributeSanitization {
      * Holds if the attribute value is interpreted as JavaScript source code.
      */
     predicate isInterpretedAsJavaScript() { lhs.regexpMatch("(?i)(.* )?on[a-z]+") }
+
+    /**
+     * Gets the quote symbol (" or ') that is used to mark the attribute value.
+     */
+    string getQuote() { result = quote }
   }
 
   /**
@@ -74,7 +83,7 @@ module IncompleteHtmlAttributeSanitization {
     override string getADangerousCharacter() {
       isInterpretedAsJavaScript() and result = "&"
       or
-      result = "\""
+      result = getQuote()
     }
   }
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteBlacklistSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteBlacklistSanitizer.expected
@@ -1,29 +1,65 @@
 | tst.js:206:2:206:24 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize ampersands |
-| tst.js:206:2:206:24 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize quotes |
-| tst.js:207:2:207:26 | s().rep ... /g, '') | This HTML sanitizer does not sanitize quotes |
+| tst.js:206:2:206:24 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize double quotes |
+| tst.js:206:2:206:24 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize single quotes |
+| tst.js:207:2:207:26 | s().rep ... /g, '') | This HTML sanitizer does not sanitize double quotes |
+| tst.js:207:2:207:26 | s().rep ... /g, '') | This HTML sanitizer does not sanitize single quotes |
 | tst.js:208:2:208:26 | s().rep ... /g, '') | This HTML sanitizer does not sanitize ampersands |
+| tst.js:208:2:208:26 | s().rep ... /g, '') | This HTML sanitizer does not sanitize single quotes |
 | tst.js:209:2:209:40 | s().rep ... /g, '') | This HTML sanitizer does not sanitize ampersands |
-| tst.js:209:2:209:40 | s().rep ... /g, '') | This HTML sanitizer does not sanitize quotes |
-| tst.js:210:2:210:58 | s().rep ... /g, '') | This HTML sanitizer does not sanitize quotes |
-| tst.js:211:2:211:58 | s().rep ... /g, '') | This HTML sanitizer does not sanitize quotes |
-| tst.js:212:2:212:58 | s().rep ... /g, '') | This HTML sanitizer does not sanitize quotes |
+| tst.js:209:2:209:40 | s().rep ... /g, '') | This HTML sanitizer does not sanitize double quotes |
+| tst.js:209:2:209:40 | s().rep ... /g, '') | This HTML sanitizer does not sanitize single quotes |
+| tst.js:210:2:210:58 | s().rep ... /g, '') | This HTML sanitizer does not sanitize double quotes |
+| tst.js:210:2:210:58 | s().rep ... /g, '') | This HTML sanitizer does not sanitize single quotes |
+| tst.js:211:2:211:58 | s().rep ... /g, '') | This HTML sanitizer does not sanitize double quotes |
+| tst.js:211:2:211:58 | s().rep ... /g, '') | This HTML sanitizer does not sanitize single quotes |
+| tst.js:212:2:212:58 | s().rep ... /g, '') | This HTML sanitizer does not sanitize double quotes |
+| tst.js:212:2:212:58 | s().rep ... /g, '') | This HTML sanitizer does not sanitize single quotes |
 | tst.js:215:6:215:24 | s.replace(/>/g, '') | This HTML sanitizer does not sanitize ampersands |
-| tst.js:215:6:215:24 | s.replace(/>/g, '') | This HTML sanitizer does not sanitize quotes |
-| tst.js:217:2:217:93 | s().rep ... &#39;') | This HTML sanitizer does not sanitize quotes |
+| tst.js:215:6:215:24 | s.replace(/>/g, '') | This HTML sanitizer does not sanitize double quotes |
+| tst.js:215:6:215:24 | s.replace(/>/g, '') | This HTML sanitizer does not sanitize single quotes |
+| tst.js:216:2:216:93 | s().rep ... &#34;') | This HTML sanitizer does not sanitize single quotes |
+| tst.js:217:2:217:93 | s().rep ... &#39;') | This HTML sanitizer does not sanitize double quotes |
+| tst.js:223:2:223:107 | s().rep ... &amp;') | This HTML sanitizer does not sanitize single quotes |
 | tst.js:243:9:243:31 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize ampersands |
-| tst.js:243:9:243:31 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize quotes |
-| tst.js:244:9:244:33 | s().rep ... /g, '') | This HTML sanitizer does not sanitize quotes |
+| tst.js:243:9:243:31 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize double quotes |
+| tst.js:243:9:243:31 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize single quotes |
+| tst.js:244:9:244:33 | s().rep ... /g, '') | This HTML sanitizer does not sanitize double quotes |
+| tst.js:244:9:244:33 | s().rep ... /g, '') | This HTML sanitizer does not sanitize single quotes |
 | tst.js:245:9:245:33 | s().rep ... /g, '') | This HTML sanitizer does not sanitize ampersands |
-| tst.js:249:9:249:33 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize quotes |
-| tst.js:251:9:251:33 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize quotes |
+| tst.js:245:9:245:33 | s().rep ... /g, '') | This HTML sanitizer does not sanitize single quotes |
+| tst.js:246:9:246:33 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize single quotes |
+| tst.js:249:9:249:33 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize double quotes |
+| tst.js:250:9:250:33 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize single quotes |
+| tst.js:251:9:251:33 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize double quotes |
 | tst.js:253:21:253:45 | s().rep ... /g, '') | This HTML sanitizer does not sanitize ampersands |
+| tst.js:253:21:253:45 | s().rep ... /g, '') | This HTML sanitizer does not sanitize single quotes |
 | tst.js:254:32:254:56 | s().rep ... /g, '') | This HTML sanitizer does not sanitize ampersands |
+| tst.js:254:32:254:56 | s().rep ... /g, '') | This HTML sanitizer does not sanitize single quotes |
 | tst.js:255:26:255:50 | s().rep ... /g, '') | This HTML sanitizer does not sanitize ampersands |
+| tst.js:255:26:255:50 | s().rep ... /g, '') | This HTML sanitizer does not sanitize single quotes |
 | tst.js:256:15:256:39 | s().rep ... /g, '') | This HTML sanitizer does not sanitize ampersands |
-| tst.js:261:10:261:81 | value.r ... '&gt;') | This HTML sanitizer does not sanitize quotes |
+| tst.js:256:15:256:39 | s().rep ... /g, '') | This HTML sanitizer does not sanitize single quotes |
+| tst.js:261:10:261:81 | value.r ... '&gt;') | This HTML sanitizer does not sanitize double quotes |
+| tst.js:261:10:261:81 | value.r ... '&gt;') | This HTML sanitizer does not sanitize single quotes |
 | tst.js:270:61:270:85 | s().rep ... /g, '') | This HTML sanitizer does not sanitize ampersands |
+| tst.js:270:61:270:85 | s().rep ... /g, '') | This HTML sanitizer does not sanitize single quotes |
 | tst.js:272:28:272:50 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize ampersands |
-| tst.js:272:28:272:50 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize quotes |
+| tst.js:272:28:272:50 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize double quotes |
+| tst.js:272:28:272:50 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize single quotes |
 | tst.js:274:12:274:94 | s().val ... g , '') | This HTML sanitizer does not sanitize ampersands |
-| tst.js:274:12:274:94 | s().val ... g , '') | This HTML sanitizer does not sanitize quotes |
+| tst.js:274:12:274:94 | s().val ... g , '') | This HTML sanitizer does not sanitize double quotes |
+| tst.js:274:12:274:94 | s().val ... g , '') | This HTML sanitizer does not sanitize single quotes |
 | tst.js:277:9:277:29 | arr2.re ... "/g,"") | This HTML sanitizer does not sanitize ampersands |
+| tst.js:277:9:277:29 | arr2.re ... "/g,"") | This HTML sanitizer does not sanitize single quotes |
+| tst.js:284:6:284:30 | x.repla ... quot;') | This HTML sanitizer does not sanitize single quotes |
+| tst.js:294:7:294:31 | y.repla ... quot;') | This HTML sanitizer does not sanitize single quotes |
+| tst.js:300:10:300:33 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize double quotes |
+| tst.js:300:10:300:33 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize single quotes |
+| tst.js:301:10:301:32 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize ampersands |
+| tst.js:301:10:301:32 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize double quotes |
+| tst.js:301:10:301:32 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize single quotes |
+| tst.js:302:10:302:34 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize single quotes |
+| tst.js:303:10:303:34 | s().rep ... /g, '') | This HTML sanitizer does not sanitize double quotes |
+| tst.js:303:10:303:34 | s().rep ... /g, '') | This HTML sanitizer does not sanitize single quotes |
+| tst.js:304:9:304:33 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize single quotes |
+| tst.js:305:10:305:34 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize double quotes |
diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteHtmlAttributeSanitization.expected b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteHtmlAttributeSanitization.expected
@@ -8,6 +8,9 @@ nodes
 | tst.js:249:9:249:33 | s().rep ... ]/g,'') |
 | tst.js:249:9:249:33 | s().rep ... ]/g,'') |
 | tst.js:249:9:249:33 | s().rep ... ]/g,'') |
+| tst.js:250:9:250:33 | s().rep ... ]/g,'') |
+| tst.js:250:9:250:33 | s().rep ... ]/g,'') |
+| tst.js:250:9:250:33 | s().rep ... ]/g,'') |
 | tst.js:253:21:253:45 | s().rep ... /g, '') |
 | tst.js:253:21:253:45 | s().rep ... /g, '') |
 | tst.js:253:21:253:45 | s().rep ... /g, '') |
@@ -23,10 +26,23 @@ nodes
 | tst.js:275:9:275:11 | arr |
 | tst.js:275:9:275:21 | arr.join(" ") |
 | tst.js:275:9:275:21 | arr.join(" ") |
+| tst.js:300:10:300:33 | s().rep ... ]/g,'') |
+| tst.js:300:10:300:33 | s().rep ... ]/g,'') |
+| tst.js:300:10:300:33 | s().rep ... ]/g,'') |
+| tst.js:301:10:301:32 | s().rep ... ]/g,'') |
+| tst.js:301:10:301:32 | s().rep ... ]/g,'') |
+| tst.js:301:10:301:32 | s().rep ... ]/g,'') |
+| tst.js:302:10:302:34 | s().rep ... ]/g,'') |
+| tst.js:302:10:302:34 | s().rep ... ]/g,'') |
+| tst.js:302:10:302:34 | s().rep ... ]/g,'') |
+| tst.js:303:10:303:34 | s().rep ... /g, '') |
+| tst.js:303:10:303:34 | s().rep ... /g, '') |
+| tst.js:303:10:303:34 | s().rep ... /g, '') |
 edges
 | tst.js:243:9:243:31 | s().rep ... ]/g,'') | tst.js:243:9:243:31 | s().rep ... ]/g,'') |
 | tst.js:244:9:244:33 | s().rep ... /g, '') | tst.js:244:9:244:33 | s().rep ... /g, '') |
 | tst.js:249:9:249:33 | s().rep ... ]/g,'') | tst.js:249:9:249:33 | s().rep ... ]/g,'') |
+| tst.js:250:9:250:33 | s().rep ... ]/g,'') | tst.js:250:9:250:33 | s().rep ... ]/g,'') |
 | tst.js:253:21:253:45 | s().rep ... /g, '') | tst.js:253:21:253:45 | s().rep ... /g, '') |
 | tst.js:254:32:254:56 | s().rep ... /g, '') | tst.js:254:32:254:56 | s().rep ... /g, '') |
 | tst.js:270:61:270:85 | s().rep ... /g, '') | tst.js:270:61:270:85 | s().rep ... /g, '') |
@@ -35,11 +51,20 @@ edges
 | tst.js:274:12:274:94 | s().val ... g , '') | tst.js:274:6:274:94 | arr |
 | tst.js:275:9:275:11 | arr | tst.js:275:9:275:21 | arr.join(" ") |
 | tst.js:275:9:275:11 | arr | tst.js:275:9:275:21 | arr.join(" ") |
+| tst.js:300:10:300:33 | s().rep ... ]/g,'') | tst.js:300:10:300:33 | s().rep ... ]/g,'') |
+| tst.js:301:10:301:32 | s().rep ... ]/g,'') | tst.js:301:10:301:32 | s().rep ... ]/g,'') |
+| tst.js:302:10:302:34 | s().rep ... ]/g,'') | tst.js:302:10:302:34 | s().rep ... ]/g,'') |
+| tst.js:303:10:303:34 | s().rep ... /g, '') | tst.js:303:10:303:34 | s().rep ... /g, '') |
 #select
-| tst.js:243:9:243:31 | s().rep ... ]/g,'') | tst.js:243:9:243:31 | s().rep ... ]/g,'') | tst.js:243:9:243:31 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain quotes when it reaches this attribute definition. | tst.js:243:9:243:31 | s().rep ... ]/g,'') | this final HTML sanitizer step |
-| tst.js:244:9:244:33 | s().rep ... /g, '') | tst.js:244:9:244:33 | s().rep ... /g, '') | tst.js:244:9:244:33 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain quotes when it reaches this attribute definition. | tst.js:244:9:244:33 | s().rep ... /g, '') | this final HTML sanitizer step |
-| tst.js:249:9:249:33 | s().rep ... ]/g,'') | tst.js:249:9:249:33 | s().rep ... ]/g,'') | tst.js:249:9:249:33 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain quotes when it reaches this attribute definition. | tst.js:249:9:249:33 | s().rep ... ]/g,'') | this final HTML sanitizer step |
-| tst.js:253:21:253:45 | s().rep ... /g, '') | tst.js:253:21:253:45 | s().rep ... /g, '') | tst.js:253:21:253:45 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain ampersands or quotes when it reaches this attribute definition. | tst.js:253:21:253:45 | s().rep ... /g, '') | this final HTML sanitizer step |
-| tst.js:254:32:254:56 | s().rep ... /g, '') | tst.js:254:32:254:56 | s().rep ... /g, '') | tst.js:254:32:254:56 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain ampersands or quotes when it reaches this attribute definition. | tst.js:254:32:254:56 | s().rep ... /g, '') | this final HTML sanitizer step |
-| tst.js:270:61:270:85 | s().rep ... /g, '') | tst.js:270:61:270:85 | s().rep ... /g, '') | tst.js:270:61:270:85 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain ampersands or quotes when it reaches this attribute definition. | tst.js:270:61:270:85 | s().rep ... /g, '') | this final HTML sanitizer step |
-| tst.js:275:9:275:21 | arr.join(" ") | tst.js:274:12:274:94 | s().val ... g , '') | tst.js:275:9:275:21 | arr.join(" ") | Cross-site scripting vulnerability as the output of $@ may contain quotes when it reaches this attribute definition. | tst.js:274:12:274:94 | s().val ... g , '') | this final HTML sanitizer step |
+| tst.js:243:9:243:31 | s().rep ... ]/g,'') | tst.js:243:9:243:31 | s().rep ... ]/g,'') | tst.js:243:9:243:31 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain double quotes when it reaches this attribute definition. | tst.js:243:9:243:31 | s().rep ... ]/g,'') | this final HTML sanitizer step |
+| tst.js:244:9:244:33 | s().rep ... /g, '') | tst.js:244:9:244:33 | s().rep ... /g, '') | tst.js:244:9:244:33 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain double quotes when it reaches this attribute definition. | tst.js:244:9:244:33 | s().rep ... /g, '') | this final HTML sanitizer step |
+| tst.js:249:9:249:33 | s().rep ... ]/g,'') | tst.js:249:9:249:33 | s().rep ... ]/g,'') | tst.js:249:9:249:33 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain double quotes when it reaches this attribute definition. | tst.js:249:9:249:33 | s().rep ... ]/g,'') | this final HTML sanitizer step |
+| tst.js:250:9:250:33 | s().rep ... ]/g,'') | tst.js:250:9:250:33 | s().rep ... ]/g,'') | tst.js:250:9:250:33 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:250:9:250:33 | s().rep ... ]/g,'') | this final HTML sanitizer step |
+| tst.js:253:21:253:45 | s().rep ... /g, '') | tst.js:253:21:253:45 | s().rep ... /g, '') | tst.js:253:21:253:45 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain ampersands or double quotes when it reaches this attribute definition. | tst.js:253:21:253:45 | s().rep ... /g, '') | this final HTML sanitizer step |
+| tst.js:254:32:254:56 | s().rep ... /g, '') | tst.js:254:32:254:56 | s().rep ... /g, '') | tst.js:254:32:254:56 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain ampersands or double quotes when it reaches this attribute definition. | tst.js:254:32:254:56 | s().rep ... /g, '') | this final HTML sanitizer step |
+| tst.js:270:61:270:85 | s().rep ... /g, '') | tst.js:270:61:270:85 | s().rep ... /g, '') | tst.js:270:61:270:85 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain ampersands or double quotes when it reaches this attribute definition. | tst.js:270:61:270:85 | s().rep ... /g, '') | this final HTML sanitizer step |
+| tst.js:275:9:275:21 | arr.join(" ") | tst.js:274:12:274:94 | s().val ... g , '') | tst.js:275:9:275:21 | arr.join(" ") | Cross-site scripting vulnerability as the output of $@ may contain double quotes when it reaches this attribute definition. | tst.js:274:12:274:94 | s().val ... g , '') | this final HTML sanitizer step |
+| tst.js:300:10:300:33 | s().rep ... ]/g,'') | tst.js:300:10:300:33 | s().rep ... ]/g,'') | tst.js:300:10:300:33 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:300:10:300:33 | s().rep ... ]/g,'') | this final HTML sanitizer step |
+| tst.js:301:10:301:32 | s().rep ... ]/g,'') | tst.js:301:10:301:32 | s().rep ... ]/g,'') | tst.js:301:10:301:32 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:301:10:301:32 | s().rep ... ]/g,'') | this final HTML sanitizer step |
+| tst.js:302:10:302:34 | s().rep ... ]/g,'') | tst.js:302:10:302:34 | s().rep ... ]/g,'') | tst.js:302:10:302:34 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:302:10:302:34 | s().rep ... ]/g,'') | this final HTML sanitizer step |
+| tst.js:303:10:303:34 | s().rep ... /g, '') | tst.js:303:10:303:34 | s().rep ... /g, '') | tst.js:303:10:303:34 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:303:10:303:34 | s().rep ... /g, '') | this final HTML sanitizer step |
diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ module IncompleteHtmlAttributeSanitization {`
`14`	`14`
`15`	`15`	`private module Label {`
`16`	`16`	`class Quote extends DataFlow::FlowLabel {`
`17`		`- Quote() { this = "\"" }`
	`17`	`+ Quote() { this = ["\"", "'"] }`
`18`	`18`	`}`
`19`	`19`
`20`	`20`	`class Ampersand extends DataFlow::FlowLabel {`
Original file line number	Diff line number	Diff line change
`@@ -49,11 +49,15 @@ module IncompleteHtmlAttributeSanitization {`
`49`	`49`	`*/`
`50`	`50`	`class HtmlAttributeConcatenation extends StringOps::ConcatenationLeaf {`
`51`	`51`	`string lhs;`
	`52`	`+ string quote;`
`52`	`53`
`53`	`54`	`HtmlAttributeConcatenation() {`
`54`		`- lhs = this.getPreviousLeaf().getStringValue().regexpCapture("(?s)(.)=\"[^\"]", 1) and`
	`55`	`+ quote = ["\"", "'"] and`
	`56`	`+ exists(string prev \| prev = this.getPreviousLeaf().getStringValue() \|`
	`57`	`+ lhs = prev.regexpCapture("(?s)(.)=" + quote + "[^" + quote + "=<>]", 1)`
	`58`	`+ ) and`
`55`	`59`	`(`
`56`		`- this.getNextLeaf().getStringValue().regexpMatch(".\".") or`
	`60`	`+ this.getNextLeaf().getStringValue().regexpMatch("." + quote + ".") or`
`57`	`61`	`this instanceof StringOps::HtmlConcatenationLeaf`
`58`	`62`	`)`
`59`	`63`	`}`
`@@ -62,6 +66,11 @@ module IncompleteHtmlAttributeSanitization {`
`62`	`66`	`* Holds if the attribute value is interpreted as JavaScript source code.`
`63`	`67`	`*/`
`64`	`68`	`predicate isInterpretedAsJavaScript() { lhs.regexpMatch("(?i)(.* )?on[a-z]+") }`
	`69`	`+`
	`70`	`+ /**`
	`71`	`+ * Gets the quote symbol (" or ') that is used to mark the attribute value.`
	`72`	`+ */`
	`73`	`+ string getQuote() { result = quote }`
`65`	`74`	`}`
`66`	`75`
`67`	`76`	`/**`
`@@ -74,7 +83,7 @@ module IncompleteHtmlAttributeSanitization {`
`74`	`83`	`override string getADangerousCharacter() {`
`75`	`84`	`isInterpretedAsJavaScript() and result = "&"`
`76`	`85`	`or`
`77`		`- result = "\""`
	`86`	`+ result = getQuote()`
`78`	`87`	`}`
`79`	`88`	`}`
`80`	`89`