CodeQL library for JavaScript
codeql/javascript-all 0.3.0-dev (changelog, source)
Search

Module XssThroughDom

Sources for cross-site scripting vulnerabilities through the DOM.

Import path

import semmle.javascript.security.dataflow.XssThroughDomCustomizations

Predicates

getSelectionCall

Gets a reference to a value obtained by calling window.getSelection(). https://developer.mozilla.org/en-US/docs/Web/API/Selection

unsafeAttributeName

Gets an attribute name that could store user-controlled data.

unsafeDomPropertyName

Gets a DOM property name that could store user-controlled data.

Classes

D3TextSource

A source for text from the DOM from a d3 method call.

DomPropertySource

A read of a DOM property seen as a source for cross-site scripting vulnerabilities through the DOM.

DomTextSource

A source for text from the DOM from a DOM property read or call to getAttribute().

FilesSource

The files property of an <input /> element

JQueryDomPropertySource

A source for text from a DOM property read by jQuery.

JQueryTextSource

A source for text from the DOM from a JQuery method call.

SelectionSource

A source for text from the DOM from calling toString() on a Selection object. The toString() method returns the currently selected text in the DOM. https://developer.mozilla.org/en-US/docs/Web/API/Selection

Source

A data flow source for XSS through DOM vulnerabilities.

Modules

Forms

A module for form inputs seen as sources for xss-through-dom.

Aliases

DOMTextSource

DEPRECATED: Alias for DomTextSource

JQueryDOMPropertySource

DEPRECATED: Alias for JQueryDomPropertySource