Skip to content

Commit 742a1e7

Browse files
NapalysNapalys
committed
JS: update js/double-escaping message with escaping of \
1 parent 25b337b commit 742a1e7

File tree

2 files changed

+5
-3
lines changed

2 files changed

+5
-3
lines changed

javascript/ql/src/Security/CWE-116/DoubleEscaping.ql

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -125,9 +125,11 @@ from Replacement primary, Replacement supplementary, string message, string meta
125125
where
126126
primary.escapes(metachar, _) and
127127
supplementary = primary.getAnEarlierEscaping(metachar) and
128-
message = "may double-escape '" + metachar + "' characters from $@"
128+
message = "may double-escape '" + metachar.replaceAll("\\", "\\\\") + "' characters from $@"
129129
or
130130
primary.unescapes(_, metachar) and
131131
supplementary = primary.getALaterUnescaping(metachar) and
132-
message = "may produce '" + metachar + "' characters that are double-unescaped $@"
132+
message =
133+
"may produce '" + metachar.replaceAll("\\", "\\\\") +
134+
"' characters that are double-unescaped $@"
133135
select primary, "This replacement " + message + ".", supplementary, "here"

javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/DoubleEscaping.expected

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
| tst.js:20:10:20:33 | s.repla ... g, "&") | This replacement may produce '&' characters that are double-unescaped $@. | tst.js:20:10:21:35 | s.repla ... , "\\"") | here |
33
| tst.js:30:10:30:33 | s.repla ... g, "&") | This replacement may produce '&' characters that are double-unescaped $@. | tst.js:30:10:32:34 | s.repla ... g, "'") | here |
44
| tst.js:47:7:47:30 | s.repla ... g, "&") | This replacement may produce '&' characters that are double-unescaped $@. | tst.js:48:7:48:32 | s.repla ... , "\\"") | here |
5-
| tst.js:53:10:53:33 | s.repla ... , '\\\\') | This replacement may produce '\\' characters that are double-unescaped $@. | tst.js:53:10:54:33 | s.repla ... , '\\'') | here |
5+
| tst.js:53:10:53:33 | s.repla ... , '\\\\') | This replacement may produce '\\\\' characters that are double-unescaped $@. | tst.js:53:10:54:33 | s.repla ... , '\\'') | here |
66
| tst.js:60:7:60:28 | s.repla ... '%25') | This replacement may double-escape '%' characters from $@. | tst.js:59:7:59:28 | s.repla ... '%26') | here |
77
| tst.js:68:10:70:38 | s.repla ... &") | This replacement may double-escape '&' characters from $@. | tst.js:68:10:69:39 | s.repla ... apos;") | here |
88
| tst.js:79:10:79:66 | s.repla ... &") | This replacement may double-escape '&' characters from $@. | tst.js:79:10:79:43 | s.repla ... epl[c]) | here |

0 commit comments

Comments
 (0)