Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit f0a0f41

Browse files
erik-krogherik-krogh
committed
allow urls that are prefixed with # or ? in js/unsafe-external-link
1 parent f7edf28 commit f0a0f41

3 files changed

Lines changed: 17 additions & 1 deletion

File tree

javascript/ql/src/DOM/TargetBlank.ql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ predicate hasDynamicHrefHostAttributeValue(DOM::ElementDefinition elem) {
2929
or
3030
exists(string url | url = attr.getStringValue() |
3131
// fixed string with templating
32-
url.regexpMatch(Templating::getDelimiterMatchingRegexp()) and
32+
url.regexpMatch(Templating::getDelimiterMatchingRegexpWithPrefix("[^?#]*")) and
3333
// ... that does not start with a fixed host or a relative path (common formats)
3434
not url.regexpMatch("(?i)((https?:)?//)?[-a-z0-9.]*/.*") and
3535
// ... that is not a mailto: link

javascript/ql/src/semmle/javascript/frameworks/Templating.qll

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,4 +39,15 @@ module Templating {
3939
string getDelimiterMatchingRegexp() {
4040
result = "(?s).*(" + concat("\\Q" + getADelimiter() + "\\E", "|") + ").*"
4141
}
42+
43+
/**
44+
* Gets a regular expression that matches a string containing one
45+
* of the known template delimiters identified by `getADelimiter()`,
46+
* storing it in its first (and only) capture group.
47+
* Where the string prior to the template delimiter matches the regexp `prefix`.
48+
*/
49+
bindingset[prefix]
50+
string getDelimiterMatchingRegexpWithPrefix(string prefix) {
51+
result = "(?s)" + prefix + "(" + concat("\\Q" + getADelimiter() + "\\E", "|") + ").*"
52+
}
4253
}

javascript/ql/test/query-tests/DOM/TargetBlank/tst.html

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,5 +29,10 @@ <h1>NOT OK, because of dynamic URL</h1>
2929
<h1>OK: mailto is fine.</h1>
3030
<a target="_blank" href="mailto:{{var:mail}}">mail somone</a>
3131

32+
<h1>OK: template elements after # or ? are fine.</h1>
33+
<a href="file.extension?#[% row.href %]" target="_blank">Example</a>
34+
<a href="file.extension?[% row.href %]" target="_blank">Example</a>
35+
<a href="file.extension#[% row.href %]" target="_blank">Example</a>
36+
3237
</body>
3338
</html>

0 commit comments

Comments
 (0)