JS: Use getABoundFunctionValue instead of type-tracking

asgerf · asgerf · commit 61a7ee938758 · 2023-03-28T12:56:03.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/jQuery.qll b/javascript/ql/lib/semmle/javascript/frameworks/jQuery.qll
@@ -563,25 +563,6 @@ module JQuery {
     }
   }
 
-  /** Gets a data flow node that reaches a sink that is interpreted as HTML. */
-  private DataFlow::SourceNode htmlCallback(DataFlow::TypeBackTracker t) {
-    t.start() and
-    any(JQuery::MethodCall c).interpretsArgumentAsHtml(result.getALocalUse())
-    or
-    exists(DataFlow::TypeBackTracker t2 | result = htmlCallback(t2).backtrack(t2, t))
-  }
-
-  /**
-   * Gets a function that is passed as a callback to a jQuery function, which will interpret its return value as HTML.
-   *
-   * For example, this gets the function `f` below:
-   * ```js
-   * function f() { ... }
-   * $('#foo').replaceWith(f);
-   * ```
-   */
-  DataFlow::FunctionNode htmlCallback() { result = htmlCallback(DataFlow::TypeBackTracker::end()) }
-
   /**
    * Holds for jQuery plugin definitions of the form `$.fn.<pluginName> = <plugin>` or `$.extend($.fn, {<pluginName>, <plugin>})`.
    */
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll
@@ -123,8 +123,9 @@ class Configuration extends TaintTracking::Configuration {
     inlbl = TaintedUrlSuffix::label() and
     outlbl = prefixLabel()
     or
-    exists(DataFlow::FunctionNode callback |
-      callback = JQuery::htmlCallback() and
+    exists(DataFlow::FunctionNode callback, DataFlow::Node arg |
+      any(JQuery::MethodCall c).interpretsArgumentAsHtml(arg) and
+      callback = arg.getABoundFunctionValue(_) and
       src = callback.getReturnNode() and
       trg = callback and
       inlbl = outlbl
