CodeQL documentation

Replacement of a substring with itself

ID: js/identity-replacement
Kind: problem
Severity: warning
Precision: very-high
   - correctness
   - security
   - external/cwe/cwe-116
Query suites:
   - javascript-code-scanning.qls
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Replacing a substring with itself has no effect and usually indicates a mistake, such as misspelling a backslash escape.


Examine the string replacement to find and correct any typos.


The following code snippet attempts to backslash-escape all double quotes in raw by replacing all instances of " with \":

var escaped = raw.replace(/"/g, '\"');

However, the replacement string '\"' is actually the same as '"', with \" interpreted as an identity escape, so the replacement does nothing. Instead, the replacement string should be '\\"':

var escaped = raw.replace(/"/g, '\\"');