use HtmlConcatenationLeaf

erik-krogh · erik-krogh · commit 63a14d1b9648 · 2020-05-26T18:33:29.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll
@@ -54,7 +54,7 @@ module IncompleteHtmlAttributeSanitization {
       lhs = this.getPreviousLeaf().getStringValue().regexpCapture("(?s)(.*)=\"[^\"]*", 1) and
       (
         this.getNextLeaf().getStringValue().regexpMatch(".*\".*") or
-        this.getRoot().getConstantStringParts().regexpMatch("(?s).*</.*")
+        this instanceof StringOps::HtmlConcatenationLeaf
       )
     }
 

Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ module IncompleteHtmlAttributeSanitization {`
`54`	`54`	`lhs = this.getPreviousLeaf().getStringValue().regexpCapture("(?s)(.)=\"[^\"]", 1) and`
`55`	`55`	`(`
`56`	`56`	`this.getNextLeaf().getStringValue().regexpMatch(".\".") or`
`57`		`- this.getRoot().getConstantStringParts().regexpMatch("(?s).</.")`
	`57`	`+ this instanceof StringOps::HtmlConcatenationLeaf`
`58`	`58`	`)`
`59`	`59`	`}`
`60`	`60`