recognize more HTML attribute concatenations

erik-krogh · erik-krogh · commit a9bea6301924 · 2020-05-26T12:36:24.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll
@@ -51,8 +51,11 @@ module IncompleteHtmlAttributeSanitization {
     string lhs;
 
     HtmlAttributeConcatenation() {
-      lhs = this.getPreviousLeaf().getStringValue().regexpCapture("(.*)=\"[^\"]*", 1) and
-      this.getNextLeaf().getStringValue().regexpMatch(".*\".*")
+      lhs = this.getPreviousLeaf().getStringValue().regexpCapture("((?:[\n\r]|.)*)=\"[^\"]*", 1) and
+      (
+        this.getNextLeaf().getStringValue().regexpMatch(".*\".*") or
+        this.getRoot().getConstantStringParts().regexpMatch("(?:[\n\r]|.)*</.*")
+      )
     }
 
     /**
