Query module IncompleteSanitization

name
Incomplete string escaping or encoding
description
A string transformer that does not replace or escape all occurrences of a meta-character may be ineffective.
kind
problem
problem.severity
warning
precision
high
id
js/incomplete-sanitization
tags
correctness security external/cwe/cwe-116 external/cwe/cwe-20

Imports

javascript

Provides classes for working with JavaScript programs, as well as JSON, YAML and HTML.

Predicates

allBackslashesEscaped

Holds if data flowing into nd has no un-escaped backslashes.

getAMatchedConstant

Gets a constant matched by t.

getAMatchedString

Gets a string matched by e in a replace call.

isBackslashEscape

Holds if mce is of the form x.replace(re, new), where re is a global regular expression and new prefixes the matched string with a backslash.

isSimple

Holds if t is simple, that is, a union of constants.

metachar

Gets a character that is commonly used as a meta-character.