Merge pull request github#5236 from asgerf/js/html-invalid-attr-name

codeql-ci · web-flow · commit 2551aace89ab · 2021-02-23T02:03:29.000-08:00
Approved by erik-krogh
diff --git a/javascript/extractor/src/com/semmle/js/extractor/HTMLExtractor.java b/javascript/extractor/src/com/semmle/js/extractor/HTMLExtractor.java
@@ -143,6 +143,18 @@ public void handleElement(Element elt, HtmlPopulator.Context context) {
           }
       }
     }
+
+    @Override
+    public boolean shouldExtractAttributes(Element element) {
+      Attributes attributes = element.getAttributes();
+      if (attributes == null) return false;
+      for (Attribute attr : attributes) {
+        if (!VALID_ATTRIBUTE_NAME.matcher(attr.getName()).matches()) {
+          return false;
+        }
+      }
+      return true;
+    }
   }
 
   private boolean isAngularTemplateAttributeName(String name) {
@@ -153,6 +165,8 @@ private boolean isAngularTemplateAttributeName(String name) {
 
   private static final Pattern ANGULAR_FOR_LOOP_DECL = Pattern.compile("^ *let +(\\w+) +of(?: +|(?!\\w))(.*)");
 
+  private static final Pattern VALID_ATTRIBUTE_NAME = Pattern.compile("\\*?\\[?\\(?[\\w:_\\-]+\\]?\\)?");
+
   /** List of HTML attributes whose value is interpreted as JavaScript. */
   private static final Pattern JS_ATTRIBUTE =
       Pattern.compile(
diff --git a/javascript/ql/test/query-tests/DOM/HTML/DuplicateAttributes.html b/javascript/ql/test/query-tests/DOM/HTML/DuplicateAttributes.html
@@ -1 +1,3 @@
 <a href="https://semmle.com" href="https://semmle.com">Semmle</a>
+
+<td {% foo %} {% foo %}></td>

Original file line number	Diff line number	Diff line change
`@@ -143,6 +143,18 @@ public void handleElement(Element elt, HtmlPopulator.Context context) {`
`143`	`143`	`}`
`144`	`144`	`}`
`145`	`145`	`}`
	`146`	`+`
	`147`	`+ @Override`
	`148`	`+ public boolean shouldExtractAttributes(Element element) {`
	`149`	`+ Attributes attributes = element.getAttributes();`
	`150`	`+ if (attributes == null) return false;`
	`151`	`+ for (Attribute attr : attributes) {`
	`152`	`+ if (!VALID_ATTRIBUTE_NAME.matcher(attr.getName()).matches()) {`
	`153`	`+ return false;`
	`154`	`+ }`
	`155`	`+ }`
	`156`	`+ return true;`
	`157`	`+ }`
`146`	`158`	`}`
`147`	`159`
`148`	`160`	`private boolean isAngularTemplateAttributeName(String name) {`
`@@ -153,6 +165,8 @@ private boolean isAngularTemplateAttributeName(String name) {`
`153`	`165`
`154`	`166`	`private static final Pattern ANGULAR_FOR_LOOP_DECL = Pattern.compile("^ let +(\\w+) +of(?: +\|(?!\\w))(.)");`
`155`	`167`
	`168`	`+ private static final Pattern VALID_ATTRIBUTE_NAME = Pattern.compile("\\*?\\[?\\(?[\\w:_\\-]+\\]?\\)?");`
	`169`	`+`
`156`	`170`	`/** List of HTML attributes whose value is interpreted as JavaScript. */`
`157`	`171`	`private static final Pattern JS_ATTRIBUTE =`
`158`	`172`	`Pattern.compile(`
Original file line number	Diff line number	Diff line change
`@@ -1 +1,3 @@`
`1`	`1`	`<a href="https://semmle.com" href="https://semmle.com">Semmle</a>`
	`2`	`+`
	`3`	`+<td {% foo %} {% foo %}></td>`