Skip to content

Commit 1ec8bfa

Browse files
mbaludambaluda
committed
Ensure sanitizeContent attribute is respected
1 parent d52a0c7 commit 1ec8bfa

File tree

21 files changed

+249
-0
lines changed

21 files changed

+249
-0
lines changed

javascript/frameworks/ui5/test/README.md

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,15 @@ User input flows to XSS sinks via event handlers in 4 different ways:
5151
- `sap.ui.core.HTML` Control
5252
- dataflow in the controller
5353

54+
### [xss-html-control-df sanitized](queries/UI5Xss/xss-html-control-df sanitized)
55+
- `sap.ui.core.HTML` Control
56+
- sanitization setting `sanitizeContent` property to true programmatically
57+
58+
### [xss-html-control-df sanitized-disable](queries/UI5Xss/xss-html-control-df sanitized-disable)
59+
- `sap.ui.core.HTML` Control
60+
- sanitization using the `sanitizeContent` property set to true
61+
- sanitization disabled by programmatically setting the `sanitizeContent` property to false
62+
5463
### [xss-html-control-oneway](queries/UI5Xss/xss-html-control-oneway)
5564
- `sap.ui.core.HTML` Control
5665
- one-way binding makes the xss fail

javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df sanitized-disable/UI5Xss.expected

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
nodes
2+
| webapp/controller/app.controller.js:9:17:9:27 | input: null |
3+
| webapp/controller/app.controller.js:10:17:10:28 | output: null |
4+
| webapp/controller/app.controller.js:12:26:12:45 | new JSONModel(oData) |
5+
| webapp/controller/app.controller.js:15:17:15:21 | input |
6+
| webapp/controller/app.controller.js:15:25:15:52 | oModel. ... input') |
7+
| webapp/controller/app.controller.js:16:43:16:47 | input |
8+
| webapp/view/app.view.xml:5:5:7:28 | value={/input} |
9+
| webapp/view/app.view.xml:8:5:8:37 | content={/output} |
10+
edges
11+
| webapp/controller/app.controller.js:9:17:9:27 | input: null | webapp/controller/app.controller.js:15:25:15:52 | oModel. ... input') |
12+
| webapp/controller/app.controller.js:9:17:9:27 | input: null | webapp/view/app.view.xml:5:5:7:28 | value={/input} |
13+
| webapp/controller/app.controller.js:10:17:10:28 | output: null | webapp/view/app.view.xml:8:5:8:37 | content={/output} |
14+
| webapp/controller/app.controller.js:12:26:12:45 | new JSONModel(oData) | webapp/controller/app.controller.js:15:25:15:52 | oModel. ... input') |
15+
| webapp/controller/app.controller.js:12:26:12:45 | new JSONModel(oData) | webapp/view/app.view.xml:8:5:8:37 | content={/output} |
16+
| webapp/controller/app.controller.js:15:17:15:21 | input | webapp/controller/app.controller.js:16:43:16:47 | input |
17+
| webapp/controller/app.controller.js:15:25:15:52 | oModel. ... input') | webapp/controller/app.controller.js:15:17:15:21 | input |
18+
| webapp/controller/app.controller.js:16:43:16:47 | input | webapp/controller/app.controller.js:10:17:10:28 | output: null |
19+
| webapp/controller/app.controller.js:16:43:16:47 | input | webapp/controller/app.controller.js:12:26:12:45 | new JSONModel(oData) |
20+
| webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:9:17:9:27 | input: null |
21+
| webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:12:26:12:45 | new JSONModel(oData) |
22+
| webapp/view/app.view.xml:8:5:8:37 | content={/output} | webapp/controller/app.controller.js:10:17:10:28 | output: null |
23+
#select
24+
| webapp/view/app.view.xml:8:5:8:37 | content={/output} | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/view/app.view.xml:8:5:8:37 | content={/output} | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |

javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df sanitized-disable/UI5Xss.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
UI5Xss/UI5Xss.ql

javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df sanitized-disable/package-lock.json

Lines changed: 12 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df sanitized-disable/package.json

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
{
2+
"name": "sap-ui5-xss",
3+
"version": "1.0.0",
4+
"main": "index.js"
5+
}

javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df sanitized-disable/ui5.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
specVersion: '3.0'
2+
metadata:
3+
name: sap-ui5-xss
4+
type: application
5+
framework:
6+
name: SAPUI5
7+
version: "1.115.0"

javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df sanitized-disable/webapp/controller/app.controller.js

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
sap.ui.define([
2+
"sap/ui/core/mvc/Controller",
3+
"sap/ui/model/json/JSONModel"
4+
], function (Controller, JSONModel) {
5+
"use strict";
6+
return Controller.extend("codeql-sap-js.controller.app", {
7+
onInit: function () {
8+
var oData = {
9+
input: null,
10+
output: null,
11+
};
12+
var oModel = new JSONModel(oData);
13+
this.getView().setModel(oModel);
14+
15+
// enable sanitization programmatically
16+
this.getView().setProperty("sanitizeContent", false);
17+
this.getView().byId("htmlControl").setProperty("sanitizeContent", false);
18+
this.getView().byId("htmlControl").sanitizeContent = false;
19+
20+
var input = oModel.getProperty('/input');
21+
oModel.setProperty('/output', input);
22+
}
23+
});
24+
}
25+
);

javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df sanitized-disable/webapp/index.html

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
<!DOCTYPE html>
2+
<html>
3+
4+
<head>
5+
6+
<meta charset="utf-8">
7+
<title>SAPUI5 XSS</title>
8+
<script src="https://sdk.openui5.org/resources/sap-ui-core.js"
9+
data-sap-ui-libs="sap.m"
10+
data-sap-ui-onInit="module:codeql-sap-js/index"
11+
data-sap-ui-resourceroots='{
12+
"codeql-sap-js": "./"
13+
}'>
14+
</script>
15+
</head>
16+
17+
<body class="sapUiBody" id="content">
18+
19+
</body>
20+
21+
</html>

javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df sanitized-disable/webapp/index.js

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
sap.ui.define([
2+
"sap/ui/core/mvc/XMLView"
3+
], function (XMLView) {
4+
"use strict";
5+
XMLView.create({
6+
viewName: "codeql-sap-js.view.app"
7+
}).then(function (oView) {
8+
oView.placeAt("content");
9+
});
10+
11+
});

javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df sanitized-disable/webapp/manifest.json

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
{
2+
"sap.app": {
3+
"id": "sap-ui5-xss"
4+
}
5+
}

0 commit comments

Comments
 (0)