Taint-tracking configuration for DOM-based XSS
HtmlInjectionConfiguration
JQueryHtmlOrSelectorInjectionConfiguration
semmle.javascript.security.dataflow.DomBasedXss
=>semmle.javascript.security.dataflow.DomBasedXssCustomizations
=>semmle.javascript.security.dataflow.Xss::DomBasedXss
semmle.javascript.security.dataflow.DomBasedXss HtmlInjectionConfiguration
class HtmlInjectionConfiguration extends TaintTracking::Configuration {HtmlInjectionConfiguration() { this = "HtmlInjection" }override predicate isSource(DataFlow::Node source) { source instanceof Source }override predicate isSink(DataFlow::Node sink) {sink instanceof Sink andnot sink instanceof JQueryHtmlOrSelectorSink // Handled by JQueryHtmlOrSelectorInjectionConfiguration below}override predicate isSanitizer(DataFlow::Node node) {super.isSanitizer(node)ornode instanceof Sanitizer}override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {guard instanceof SanitizerGuard}override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {DomBasedXss::isOptionallySanitizedEdge(pred, succ)}}
semmle.javascript.security.dataflow.DomBasedXssCustomizations
与RemoteFlowSource与并集
class RemoteFlowSourceAsSource extends Source {RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
semmle.javascript.security.dataflow.Xss::DomBasedXss
LibrarySink
JQueryHtmlOrSelectorSink
DomSink
HtmlParserSink
DangerouslySetInnerHtmlSink
TooltipSink
EmailHtmlBodySink
semmle.javascript.security.dataflow.DOM
https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/DOM.qll/module.DOM$DOM.html
若有收获,就点个赞吧
0 人点赞
