JS: Dont use getALocalSource() when marking Vue template sinks

asgerf · asgerf · commit 6d9b96f6e8f3 · 2021-07-02T11:55:56.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
@@ -331,7 +331,7 @@ module DomBasedXss {
    * A write to the `template` option of a Vue instance, viewed as an XSS sink.
    */
   class VueTemplateSink extends DomBasedXss::Sink {
-    VueTemplateSink() { this = any(Vue::Instance i).getTemplate() }
+    VueTemplateSink() { this = any(Vue::Instance i).getOption("template") }
   }
 
   /**

Original file line number	Diff line number	Diff line change
`@@ -331,7 +331,7 @@ module DomBasedXss {`
`331`	`331`	* A write to the `template` option of a Vue instance, viewed as an XSS sink.
`332`	`332`	`*/`
`333`	`333`	`class VueTemplateSink extends DomBasedXss::Sink {`
`334`		`- VueTemplateSink() { this = any(Vue::Instance i).getTemplate() }`
	`334`	`+ VueTemplateSink() { this = any(Vue::Instance i).getOption("template") }`
`335`	`335`	`}`
`336`	`336`
`337`	`337`	`/**`