add global replacements using inverted char classes as a sanitizer for DOM based XSS

erik-krogh · erik-krogh · commit e60628d46335 · 2021-04-28T11:29:30.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
@@ -34,7 +34,14 @@ module Shared {
   class MetacharEscapeSanitizer extends Sanitizer, StringReplaceCall {
     MetacharEscapeSanitizer() {
       isGlobal() and
-      RegExp::alwaysMatchesMetaCharacter(getRegExp().getRoot(), ["<", "'", "\""])
+      (
+        RegExp::alwaysMatchesMetaCharacter(getRegExp().getRoot(), ["<", "'", "\""])
+        or
+        // or it's a global inverted char class.
+        getRegExp().getRoot().(RegExpCharacterClass).isInverted()
+        or
+        getRegExp().getRoot().(RegExpQuantifier).getAChild().(RegExpCharacterClass).isInverted()
+      )
     }
   }
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js
@@ -85,4 +85,8 @@
 
 	$("#id").html(anser.ansiToHtml(text)); // NOT OK
 	$("#id").html(new anser().process(text)); // NOT OK
+	
+	$("section h1").each(function(){
+		$("nav ul").append("<a href='#" + $(this).text().toLowerCase().replace(/ /g, '-').replace(/[^\w-]+/g,'') + "'>Section</a>"); // OK
+	});
 })();
