Class ReflectedXss::HttpResponseSink
An expression that is sent as part of an HTTP response, considered as an XSS sink.
We exclude cases where the route handler sets either an unknown content type or a content type that does not (case-insensitively) contain the string “html”. This is to prevent us from flagging plain-text or JSON responses as vulnerable.
Import path
import semmle.javascript.security.dataflow.ReflectedXssCustomizations
Direct supertypes
Inherited predicates
accessesGlobal | Holds if this data flow node accesses the global variable | from Node |
analyze | Gets type inference results for this data flow node. | from Node |
asExpr | Gets the expression corresponding to this data flow node, if any. | from Node |
getABoundFunctionValue | Gets a function value that may reach this node, possibly derived from a partial function invocation. | from Node |
getAFunctionValue | Gets a function value that may reach this node. | from Node |
getAFunctionValue | Gets a function value that may reach this node with the given | from Node |
getALocalSource | Gets a source node from which data may flow to this node in zero or more local steps. | from Node |
getAPredecessor | Gets a data flow node from which data may flow to this node in one local step. | from Node |
getASuccessor | Gets a data flow node to which data may flow from this node in one local step. | from Node |
getAstNode | Gets the AST node corresponding to this data flow node, if any. | from Node |
getBasicBlock | Gets the basic block to which this node belongs. | from Node |
getContainer | Gets the container in which this node occurs. | from Node |
getEnclosingExpr | Gets the expression enclosing this data flow node. In most cases the result is the same as | from Node |
getEndColumn | Gets the end column of this data flow node. | from Node |
getEndLine | Gets the end line of this data flow node. | from Node |
getFile | Gets the file this data flow node comes from. | from Node |
getImmediatePredecessor | Gets the immediate predecessor of this node, if any. | from Node |
getIntValue | Gets the integer value of this node, if it is an integer constant. | from Node |
getLocation | Gets the location of this node. | from Node |
getStartColumn | Gets the start column of this data flow node. | from Node |
getStartLine | Gets the start line of this data flow node. | from Node |
getStringValue | Gets the string value of this node, if it is a string literal or constant string concatenation. | from Node |
getTopLevel | Gets the toplevel in which this node occurs. | from Node |
getVulnerabilityKind | Gets the kind of vulnerability to report in the alert message. | from Sink |
hasLocationInfo | Holds if this element is at the specified location. The location spans column | from Node |
hasUnderlyingType | Holds if this node is annotated with the given named type, or is declared as a subtype thereof, or is a union or intersection containing such a type. | from Node |
hasUnderlyingType | Holds if this node is annotated with the given named type, or is declared as a subtype thereof, or is a union or intersection containing such a type. | from Node |
isIncomplete | Holds if the flow information for this node is incomplete. | from Node |
mayHaveBooleanValue | Holds if this node may evaluate to the Boolean value | from Node |
mayHaveStringValue | Holds if this node may evaluate to the string | from Node |
toString | Gets a textual representation of this element. | from Node |