import javascript

import semmle.javascript.security.dataflow.XpathInjectionQuery

select sink.getNode(), source, sink, "XPath expression depends on a $@.", source.getNode(),

"user-provided value"

edges

| XpathInjectionBad.js:6:7:6:38 | userName | XpathInjectionBad.js:9:66:9:73 | userName |

| XpathInjectionBad.js:6:18:6:38 | req.par ... rName") | XpathInjectionBad.js:6:7:6:38 | userName |

| XpathInjectionBad.js:9:66:9:73 | userName | XpathInjectionBad.js:9:34:9:96 | "//user ... text()" |

| tst2.js:1:13:1:34 | documen ... on.hash | tst2.js:1:13:1:47 | documen ... ring(1) |

| tst2.js:1:13:1:47 | documen ... ring(1) | tst2.js:2:27:2:31 | query |

| tst2.js:1:13:1:47 | documen ... ring(1) | tst2.js:3:19:3:23 | query |

| tst.js:6:7:6:37 | tainted | tst.js:7:15:7:21 | tainted |

| tst.js:6:7:6:37 | tainted | tst.js:8:16:8:22 | tainted |

| tst.js:6:7:6:37 | tainted | tst.js:9:17:9:23 | tainted |

| tst.js:6:7:6:37 | tainted | tst.js:11:8:11:14 | tainted |

| tst.js:6:17:6:37 | req.par ... rName") | tst.js:6:7:6:37 | tainted |

#select

| XpathInjectionBad.js:9:34:9:96 | "//user ... text()" | XpathInjectionBad.js:6:18:6:38 | req.par ... rName") | XpathInjectionBad.js:9:34:9:96 | "//user ... text()" | XPath expression depends on a $@. | XpathInjectionBad.js:6:18:6:38 | req.par ... rName") | user-provided value |

| tst2.js:2:27:2:31 | query | tst2.js:1:13:1:34 | documen ... on.hash | tst2.js:2:27:2:31 | query | XPath expression depends on a $@. | tst2.js:1:13:1:34 | documen ... on.hash | user-provided value |