JS: Accept some less obvious alerts

asgerf · asgerf · commit 1f3c49638bdc · 2025-02-28T13:27:48.000+01:00
These are listed in a function called 'good' but it's difficult to say in isolation whether they should be flagged or not. Accepting the changes as they seem reasonable.
diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js
@@ -126,18 +126,18 @@ function good11(s) {
   return s.replace("%d", "42");
 }
 
-function good12(s) {
+function goodOrBad12(s) {
 	s.replace('[', '').replace(']', '');
 	s.replace('(', '').replace(')', '');
 	s.replace('{', '').replace('}', '');
-	s.replace('<', '').replace('>', ''); // too common as a bad HTML sanitizer
+	s.replace('<', '').replace('>', ''); // $ Alert[js/incomplete-sanitization]
 
-	s.replace('[', '\\[').replace(']', '\\]');
-	s.replace('{', '\\{').replace('}', '\\}');
+	s.replace('[', '\\[').replace(']', '\\]'); // $ Alert[js/incomplete-sanitization]
+	s.replace('{', '\\{').replace('}', '\\}'); // $ Alert[js/incomplete-sanitization]
 
 	s = s.replace('[', '');
 	s = s.replace(']', '');
-	s.replace(/{/, '').replace(/}/, ''); // should have used a string literal if a single replacement was intended
+	s.replace(/{/, '').replace(/}/, ''); // $ Alert[js/incomplete-sanitization] - should have used a string literal if a single replacement was intended
 	s.replace(']', '').replace('[', ''); // $ Alert[js/incomplete-sanitization] - probably OK, but still flagged
 }
 
