JS: Move 'this' sanitizer to customizations

This commit is contained in:
Asger F 2023-04-17 12:11:18 +02:00
Родитель 62dca44ee5
Коммит b728f71b4b
2 изменённых файлов: 7 добавлений и 3 удалений

Просмотреть файл

@ -31,6 +31,13 @@ module UnsafeJQueryPlugin {
*/ */
abstract class Sanitizer extends DataFlow::Node { } abstract class Sanitizer extends DataFlow::Node { }
/**
* The receiver of a function, seen as a sanitizer.
*
* Plugins often do `$(this)` to coerce an existing DOM element to a jQuery object.
*/
private class ThisSanitizer extends Sanitizer instanceof DataFlow::ThisNode { }
/** /**
* An argument that may act as an HTML fragment rather than a CSS selector, as a sink for remote unsafe jQuery plugins. * An argument that may act as an HTML fragment rather than a CSS selector, as a sink for remote unsafe jQuery plugins.
*/ */

Просмотреть файл

@ -23,9 +23,6 @@ class Configuration extends TaintTracking::Configuration {
node instanceof DomBasedXss::Sanitizer node instanceof DomBasedXss::Sanitizer
or or
node instanceof Sanitizer node instanceof Sanitizer
or
// Plugins usually do `$(this)` to coerce an existing DOM element to a jQuery object.
node instanceof DataFlow::ThisNode
} }
override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) { override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {