Merge pull request github#5391 from erik-krogh/additionalXss

Approved by asgerf

Author: codeql-ci

javascript/ql/src/semmle/javascript/heuristics/AdditionalSources.qll

@@ -44,7 +44,8 @@ class RemoteServerResponse extends HeuristicSource, RemoteFlowSource {
         // exclude URLs to the current host
         r.getUrl().mayHaveStringValue(url) and
         protocolPattern = "(?[a-z+]{3,10}:)" and
-        not url.regexpMatch(protocolPattern + "?//.*")
+        not url.regexpMatch(protocolPattern + "?//.*") and
+        not url.prefix(2) = ["{{", "{%"] // look like templating
       )
     )
   }

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected

@@ -726,6 +726,13 @@ nodes
 | winjs.js:3:43:3:49 | tainted |
 | winjs.js:4:43:4:49 | tainted |
 | winjs.js:4:43:4:49 | tainted |
+| xmlRequest.js:8:13:8:47 | json |
+| xmlRequest.js:8:20:8:47 | JSON.pa ... seText) |
+| xmlRequest.js:8:31:8:46 | xhr.responseText |
+| xmlRequest.js:8:31:8:46 | xhr.responseText |
+| xmlRequest.js:9:28:9:31 | json |
+| xmlRequest.js:9:28:9:39 | json.message |
+| xmlRequest.js:9:28:9:39 | json.message |
 edges
 | addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:24 | event |
 | addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:24 | event |
@@ -1361,6 +1368,13 @@ edges
 | winjs.js:2:17:2:33 | document.location | winjs.js:2:17:2:40 | documen ... .search |
 | winjs.js:2:17:2:40 | documen ... .search | winjs.js:2:17:2:53 | documen ... ring(1) |
 | winjs.js:2:17:2:53 | documen ... ring(1) | winjs.js:2:7:2:53 | tainted |
+| xmlRequest.js:8:13:8:47 | json | xmlRequest.js:9:28:9:31 | json |
+| xmlRequest.js:8:20:8:47 | JSON.pa ... seText) | xmlRequest.js:8:13:8:47 | json |
+| xmlRequest.js:8:31:8:46 | xhr.responseText | xmlRequest.js:8:20:8:47 | JSON.pa ... seText) |
+| xmlRequest.js:8:31:8:46 | xhr.responseText | xmlRequest.js:8:20:8:47 | JSON.pa ... seText) |
+| xmlRequest.js:9:28:9:31 | json | xmlRequest.js:9:28:9:39 | json.message |
+| xmlRequest.js:9:28:9:31 | json | xmlRequest.js:9:28:9:39 | json.message |
 #select
 | jwt.js:6:14:6:20 | decoded | jwt.js:4:36:4:39 | data | jwt.js:6:14:6:20 | decoded | Cross-site scripting vulnerability due to $@. | jwt.js:4:36:4:39 | data | user-provided value |
 | typeahead.js:10:16:10:18 | loc | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc | Cross-site scripting vulnerability due to $@. | typeahead.js:9:28:9:30 | loc | user-provided value |
+| xmlRequest.js:9:28:9:39 | json.message | xmlRequest.js:8:31:8:46 | xhr.responseText | xmlRequest.js:9:28:9:39 | json.message | Cross-site scripting vulnerability due to $@. | xmlRequest.js:8:31:8:46 | xhr.responseText | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/xmlRequest.js

@@ -0,0 +1,16 @@
+$(document).ready(function () {
+    var xhr = new XMLHttpRequest();
+    var url = "{{ some_url }}"
+    xhr.open("GET", url, true)
+    xhr.setRequestHeader("Content-Type", "application/json")
+    xhr.onreadystatechange = function () {
+        if (xhr.readyState !== 4) { return }
+        var json = JSON.parse(xhr.responseText)
+        $("#myThing").html(json.message);
+    }
+    try {
+        xhr.send()
+    } catch (error) {
+        console.log(error)
+    }
+})