add comment about filtering away jQuery from the source

erik-krogh · erik-krogh · commit 3fe5dd0f3508 · 2021-05-10T10:05:18.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
@@ -25,6 +25,7 @@ module UnsafeHtmlConstruction {
   class ExternalInputSource extends Source, DataFlow::ParameterNode {
     ExternalInputSource() {
       this = Exports::getALibraryInputParameter() and
+      // An AMD-style module sometimes loads the jQuery library in a way which looks like library input.
       not this = JQuery::dollarSource()
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,7 @@ module UnsafeHtmlConstruction {`
`25`	`25`	`class ExternalInputSource extends Source, DataFlow::ParameterNode {`
`26`	`26`	`ExternalInputSource() {`
`27`	`27`	`this = Exports::getALibraryInputParameter() and`
	`28`	`+ // An AMD-style module sometimes loads the jQuery library in a way which looks like library input.`
`28`	`29`	`not this = JQuery::dollarSource()`
`29`	`30`	`}`
`30`	`31`	`}`