JS: add test cases with unknown flags for double escaping, works as expected.

Napalys · Napalys · commit fe28657c7da6 · 2024-11-28T11:26:51.000+01:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/DoubleEscaping.expected b/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/DoubleEscaping.expected
@@ -6,3 +6,4 @@
 | tst.js:60:7:60:28 | s.repla ...  '%25') | This replacement may double-escape '%' characters from $@. | tst.js:59:7:59:28 | s.repla ...  '%26') | here |
 | tst.js:68:10:70:38 | s.repla ... &amp;") | This replacement may double-escape '&' characters from $@. | tst.js:68:10:69:39 | s.repla ... apos;") | here |
 | tst.js:79:10:79:66 | s.repla ... &amp;") | This replacement may double-escape '&' characters from $@. | tst.js:79:10:79:43 | s.repla ... epl[c]) | here |
+| tst.js:99:10:101:49 | s.repla ... &amp;") | This replacement may double-escape '&' characters from $@. | tst.js:99:10:100:51 | s.repla ... apos;") | here |
diff --git a/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js b/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js
@@ -94,3 +94,21 @@ function testWithCapturedVar(x) {
 function encodeDecodeEncode(s) {
  return goodEncode(goodDecode(goodEncode(s)));
 }
+
+function badEncode(s) {
+  return s.replace(new RegExp("\"", "g"), "&quot;")
+          .replace(new RegExp("\'", "g"), "&apos;")
+          .replace(new RegExp("&", "g"), "&amp;"); // NOT OK
+}
+
+function goodEncode(s) {
+  return s.replace(new RegExp("\"", ""), "&quot;")
+          .replace(new RegExp("\'", ""), "&apos;")
+          .replace(new RegExp("&", ""), "&amp;"); // OK
+}
+
+function goodEncode(s) {
+  return s.replace(new RegExp("\"", unknownFlags()), "&quot;")
+          .replace(new RegExp("\'", unknownFlags()), "&apos;")
+          .replace(new RegExp("&", unknownFlags()), "&amp;"); // OK
+}
