• CodeQL query help documentation »
• CodeQL query help for JavaScript and TypeScript »

Replacement of a substring with itself

ID: js/identity-replacement
Kind: problem
Security severity: 5.0
Severity: warning
Precision: very-high
Tags:
   - correctness
   - security
   - external/cwe/cwe-116
Query suites:
   - javascript-code-scanning.qls
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Replacing a substring with itself has no effect and usually indicates a mistake, such as misspelling a backslash escape.

Recommendation

Examine the string replacement to find and correct any typos.

Example

The following code snippet attempts to backslash-escape all double quotes in raw by replacing all instances of " with \":

var escaped = raw.replace(/"/g, '\"');

However, the replacement string '\"' is actually the same as '"', with \" interpreted as an identity escape, so the replacement does nothing. Instead, the replacement string should be '\\"':

var escaped = raw.replace(/"/g, '\\"');

References

• Mozilla Developer Network: String escape notation.

• Common Weakness Enumeration: CWE-116.

• © GitHub, Inc.
• Terms
• Privacy