JavaScript: Learn that receivers of DOM event handlers are themselves DOM elements. #5262
Conversation
|
This was found by TSM |
| @@ -0,0 +1,3 @@ | |||
| document.getElementById('my-id').onclick = function() { | |||
| this.parentNode.innerHTML = '<h2><a href="' + location.href + '">A link</a></h2>'; // NOT OK | |||
There was a problem hiding this comment.
I'm not sure how exploitable this code pattern would be, considering that location.href is URL-encoded, but of course that's nothing to do with this PR.
There was a problem hiding this comment.
I recall there was an issue with IE not encoding the URL when redirected via a Location header, so I'm fine with flagging it.
There was a problem hiding this comment.
And maybe add a comment about not using getABoundFunctionValue exactly because bound functions will tend to have a different receiver anyway.
| or | ||
| // A receiver node of an event handler on a DOM node | ||
| exists(string handler | handler.matches("on%") | | ||
| this = domValueRef().getAPropertySource(handler).(DataFlow::FunctionNode).getReceiver() |
There was a problem hiding this comment.
Could we support addEventListener here?
| @@ -0,0 +1,3 @@ | |||
| document.getElementById('my-id').onclick = function() { | |||
| this.parentNode.innerHTML = '<h2><a href="' + location.href + '">A link</a></h2>'; // NOT OK | |||
There was a problem hiding this comment.
I recall there was an issue with IE not encoding the URL when redirected via a Location header, so I'm fine with flagging it.
|
Thanks, @asgerf! Comments addressed and change note added. |
|
It did (internal link). Sorry for the delay, and many thanks to @erik-krogh for helping with finally getting the evaluation done! |
cf https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/this#in_an_inline_event_handler