jorgectf
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSFlowSteps.qll
Lines changed: 1 addition & 1 deletion b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSFlowSteps.qll
Lines changed: 1 addition & 1 deletion
diff --git a/‎csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Areas/TestArea/Views/Shared/Test18.cshtml
Lines changed: 9 additions & 0 deletions b/‎csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Areas/TestArea/Views/Shared/Test18.cshtml
Lines changed: 9 additions & 0 deletions
diff --git a/‎csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Areas/TestArea/Views/Test4/Test17.cshtml
Lines changed: 9 additions & 0 deletions b/‎csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Areas/TestArea/Views/Test4/Test17.cshtml
Lines changed: 9 additions & 0 deletions
diff --git a/‎csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Controllers/TestController.cs
Lines changed: 29 additions & 0 deletions b/‎csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Controllers/TestController.cs
Lines changed: 29 additions & 0 deletions
diff --git a/‎csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Areas_TestArea_Views_Shared_Test18.cshtml.g.cs
Lines changed: 74 additions & 0 deletions b/‎csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Areas_TestArea_Views_Shared_Test18.cshtml.g.cs
Lines changed: 74 additions & 0 deletions
diff --git a/‎csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Areas_TestArea_Views_Test4_Test17.cshtml.g.cs
Lines changed: 74 additions & 0 deletions b/‎csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Areas_TestArea_Views_Test4_Test17.cshtml.g.cs
Lines changed: 74 additions & 0 deletions
diff --git a/‎csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Custom2_Test16.cshtml.g.cs
Lines changed: 74 additions & 0 deletions b/‎csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Custom2_Test16.cshtml.g.cs
Lines changed: 74 additions & 0 deletions
diff --git a/‎csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Shared_Test19.cshtml.g.cs
Lines changed: 74 additions & 0 deletions b/‎csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Shared_Test19.cshtml.g.cs
Lines changed: 74 additions & 0 deletions
@@ -112,7 +112,7 @@ private predicate viewCallRefersToPageRelative(ViewCall vc, RazorPage rp) {
   ["", "~"] + rp.getSourceFilepath() =
     min(int i, RelativeViewCallFilepath fp |
       fp.hasViewCallWithIndex(vc, i) and
-      exists(RazorPage rp2 | rp2.getSourceFilepath() = fp.getNormalizedPath())
+      exists(RazorPage rp2 | ["", "~"] + rp2.getSourceFilepath() = fp.getNormalizedPath())
     |
       fp.getNormalizedPath() order by i
     )
 
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}
@@ -100,10 +100,39 @@ class Helper {
 public class Test3Controller : Controller {
     public void Setup(RazorViewEngineOptions o) {
         o.ViewLocationFormats.Add("/Views/Custom/{1}/{0}.cshtml");
+        o.ViewLocationFormats.Add("~/Views/Custom2/{0}.cshtml");
     }
 
     public IActionResult Test15(UserData tainted15) {
         // Expected to find file /Views/Custom/Test3/Test15.cshtml
         return View(tainted15);
     }
+
+    public IActionResult test16(UserData tainted16) {
+        // Expected to find file /Views/Custom2/Test16.cshtml
+        return View("Test16", tainted16);
+    }
+}
+
+[Area("TestArea")]
+public class Test4Controller : Controller {
+    public IActionResult test17(UserData tainted17) {
+        // Expected to find file /Areas/TestArea/Views/Test4/Test17.cshtml
+        return View("Test17", tainted17);
+    }
+
+    public IActionResult test18(UserData tainted18) {
+        // Expected to find file /Areas/TestArea/Views/Shared/Test17.cshtml
+        return View("Test18", tainted18);
+    }
+
+    public IActionResult test19(UserData tainted19) {
+        // Expected to find file /Views/Shared/Test19.cshtml
+        return View("Test19", tainted19);
+    }
+
+    public IActionResult test20(UserData tainted20) {
+        // SPURIOUS: Expected to find nothing (and NOT /Views/Test4/Test20.cshtml).
+        return View("Test20", tainted20);
+    }
 }
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Areas_TestArea_Views_Shared_Test18), @"mvc.1.0.view", @"/Areas/TestArea/Views/Shared/Test18.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Areas/TestArea/Views/Shared/Test18.cshtml")]
+    public class Areas_TestArea_Views_Shared_Test18 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Areas/TestArea/Views/Shared/Test18.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Areas/TestArea/Views/Shared/Test18.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Areas/TestArea/Views/Shared/Test18.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Areas_TestArea_Views_Test4_Test17), @"mvc.1.0.view", @"/Areas/TestArea/Views/Test4/Test17.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Areas/TestArea/Views/Test4/Test17.cshtml")]
+    public class Areas_TestArea_Views_Test4_Test17 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Areas/TestArea/Views/Test4/Test17.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Areas/TestArea/Views/Test4/Test17.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Areas/TestArea/Views/Test4/Test17.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Custom2_Test16), @"mvc.1.0.view", @"/Views/Custom2/Test16.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Custom2/Test16.cshtml")]
+    public class Views_Custom2_Test16 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Custom2/Test16.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Custom2/Test16.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Custom2/Test16.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Shared_Test19), @"mvc.1.0.view", @"/Views/Shared/Test19.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Shared/Test19.cshtml")]
+    public class Views_Shared_Test19 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Shared/Test19.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Shared/Test19.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Shared/Test19.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
Original file line number	Diff line number	Diff line change
`@@ -112,7 +112,7 @@ private predicate viewCallRefersToPageRelative(ViewCall vc, RazorPage rp) {`
`112`	`112`	`["", "~"] + rp.getSourceFilepath() =`
`113`	`113`	`min(int i, RelativeViewCallFilepath fp \|`
`114`	`114`	`fp.hasViewCallWithIndex(vc, i) and`
`115`		`- exists(RazorPage rp2 \| rp2.getSourceFilepath() = fp.getNormalizedPath())`
	`115`	`+ exists(RazorPage rp2 \| ["", "~"] + rp2.getSourceFilepath() = fp.getNormalizedPath())`
`116`	`116`	`\|`
`117`	`117`	`fp.getNormalizedPath() order by i`
`118`	`118`	`)`