add test for jquery plugin parameters in js/html-constructed-from-input

erik-krogh · erik-krogh · commit dde7e9e2e827 · 2022-06-21T13:21:57.000+02:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected
@@ -1,4 +1,9 @@
 nodes
+| jquery-plugin.js:11:34:11:40 | options |
+| jquery-plugin.js:11:34:11:40 | options |
+| jquery-plugin.js:12:31:12:37 | options |
+| jquery-plugin.js:12:31:12:41 | options.foo |
+| jquery-plugin.js:12:31:12:41 | options.foo |
 | main.js:1:55:1:55 | s |
 | main.js:1:55:1:55 | s |
 | main.js:2:29:2:29 | s |
@@ -53,6 +58,10 @@ nodes
 | typed.ts:17:29:17:29 | s |
 | typed.ts:17:29:17:29 | s |
 edges
+| jquery-plugin.js:11:34:11:40 | options | jquery-plugin.js:12:31:12:37 | options |
+| jquery-plugin.js:11:34:11:40 | options | jquery-plugin.js:12:31:12:37 | options |
+| jquery-plugin.js:12:31:12:37 | options | jquery-plugin.js:12:31:12:41 | options.foo |
+| jquery-plugin.js:12:31:12:37 | options | jquery-plugin.js:12:31:12:41 | options.foo |
 | main.js:1:55:1:55 | s | main.js:2:29:2:29 | s |
 | main.js:1:55:1:55 | s | main.js:2:29:2:29 | s |
 | main.js:1:55:1:55 | s | main.js:2:29:2:29 | s |
@@ -105,6 +114,7 @@ edges
 | typed.ts:16:11:16:21 | s | typed.ts:17:29:17:29 | s |
 | typed.ts:16:15:16:21 | id("x") | typed.ts:16:11:16:21 | s |
 #select
+| jquery-plugin.js:12:31:12:41 | options.foo | jquery-plugin.js:11:34:11:40 | options | jquery-plugin.js:12:31:12:41 | options.foo | $@ based on $@ might later cause $@. | jquery-plugin.js:12:31:12:41 | options.foo | HTML construction | jquery-plugin.js:11:34:11:40 | options | library input | jquery-plugin.js:12:20:12:53 | "<span> ... /span>" | cross-site scripting |
 | main.js:2:29:2:29 | s | main.js:1:55:1:55 | s | main.js:2:29:2:29 | s | $@ based on $@ might later cause $@. | main.js:2:29:2:29 | s | HTML construction | main.js:1:55:1:55 | s | library input | main.js:3:49:3:52 | html | cross-site scripting |
 | main.js:7:49:7:49 | s | main.js:6:49:6:49 | s | main.js:7:49:7:49 | s | $@ based on $@ might later cause $@. | main.js:7:49:7:49 | s | XML parsing | main.js:6:49:6:49 | s | library input | main.js:8:48:8:66 | doc.documentElement | cross-site scripting |
 | main.js:12:49:12:49 | s | main.js:11:60:11:60 | s | main.js:12:49:12:49 | s | $@ based on $@ might later cause $@. | main.js:12:49:12:49 | s | XML parsing | main.js:11:60:11:60 | s | library input | main.js:16:21:16:35 | xml.cloneNode() | cross-site scripting |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js
@@ -7,3 +7,9 @@
 }(function ($) {
     $("<span>" + $.trim("foo") + "</span>"); // OK
 }));
+
+$.fn.myPlugin = function (stuff, options) {
+    $("#foo").html("<span>" + options.foo + "</span>"); // NOT OK
+
+    $("#foo").html("<span>" + stuff + "</span>"); // NOT OK - but not found [INCONSISTENCY]
+}
