Skip to content

Ensure sanitizeContent attribute is respected #257

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jeongsoolee09 merged 27 commits into from
Dec 12, 2025
Merged

Ensure sanitizeContent attribute is respected #257

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
d52a0c7
Ensure sanitizeContent attribute is respected
mbaluda Nov 19, 2025
1ec8bfa
Ensure sanitizeContent attribute is respected
mbaluda Nov 19, 2025
0a7b668
Add more tests
mbaluda Nov 19, 2025
6a00000
Exclude sanitized HTML views from XSS sinks
mbaluda Nov 21, 2025
807ea34
Fix ql-4-ql alerts
mbaluda Nov 21, 2025
02c4537
Fix workflow
mbaluda Nov 21, 2025
235c441
Update expected file
mbaluda Nov 21, 2025
f108236
fix README
mbaluda Nov 21, 2025
ee49547
Address review comments
mbaluda Nov 25, 2025
9b50447
Fix conflict
mbaluda Nov 30, 2025
ddf7a6e
Merge branch 'main' into mbaluda/sanitize-content
mbaluda Nov 30, 2025
1a2c5cc
update expected sile
mbaluda Nov 30, 2025
0929f6e
fix expected file
mbaluda Nov 30, 2025
6baa2d7
Merge branch 'main' into mbaluda/sanitize-content
mbaluda Dec 1, 2025
744bf21
Update javascript/frameworks/ui5/lib/advanced_security/javascript/fra…
mbaluda Dec 2, 2025
9a36d3d
improved sink tests
mbaluda Dec 3, 2025
6d62945
update ui5.model.yml with RTE sinks
mbaluda Dec 3, 2025
b301afd
rename function isHTMLSanitized
mbaluda Dec 3, 2025
41ac329
Fix sink test for RichTextEditor
mbaluda Dec 3, 2025
213e17a
tests
mbaluda Dec 3, 2025
0b88cb8
Merge branch 'main' into mbaluda/sanitize-content
mbaluda Dec 8, 2025
bb2aab5
Address review
mbaluda Dec 8, 2025
8072f6b
missing tag
mbaluda Dec 8, 2025
e2bf1b3
Merge branch 'main' into mbaluda/sanitize-content
jeongsoolee09 Dec 11, 2025
863ea7b
Address review 2
mbaluda Dec 11, 2025
03ebe7f
Merge branch 'main' into mbaluda/sanitize-content
mbaluda Dec 11, 2025
4808163
update expected file
mbaluda Dec 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 5 additions & 8 deletions javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -649,14 +649,11 @@ class XmlView extends UI5View instanceof XmlFile {
ApiGraphModelsExtensions::sinkModel(getASuperType(type), path, "ui5-html-injection", _) and
property = path.replaceAll(" ", "").regexpCapture("Member\\[([^\\]]+)\\]", 1) and
result.getBindingTarget() = control.getAttribute(property) and
/* If the control is an `sap.ui.core.HTML` then the control should be missing the `sanitizeContent` attribute */
(
getASuperType(type) = "HTMLControl"
implies
(
not exists(control.getAttribute("sanitizeContent")) or
control.getAttribute("sanitizeContent").getValue() = "false"
)
not (
getASuperType(type) = "UI5HTMLControl" and
// `sap.ui.core.HTML` controls are not sinks if the `sanitizeContent` attribute set to true
control.getAttribute("sanitizeContent").getValue() = "true"
// TODO: unless progeammatically set ot false
)
)
}
Expand Down
15 changes: 14 additions & 1 deletion javascript/frameworks/ui5/test/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,11 +42,24 @@ User input flows to XSS sinks via event handlers in 4 different ways:

### [xss-html-control](queries/UI5Xss/xss-html-control)
- `sap.ui.core.HTML` Control

### [xss-html-control sanitized](queries/UI5Xss/xss-html-control sanitized)
- `sap.ui.core.HTML` Control
- sanitization using the `sanitizeContent` property set to true

### [xss-html-control-df](queries/UI5Xss/xss-html-control-df)
- `sap.ui.core.HTML` Control
- dataflow in the controller

### [xss-html-control-df sanitized](queries/UI5Xss/xss-html-control-df sanitized)
- `sap.ui.core.HTML` Control
- sanitization setting `sanitizeContent` property to true programmatically

### [xss-html-control-df sanitized-disable](queries/UI5Xss/xss-html-control-df sanitized-disable)
- `sap.ui.core.HTML` Control
- sanitization using the `sanitizeContent` property set to true
- sanitization disabled by programmatically setting the `sanitizeContent` property to false

### [xss-html-control-oneway](queries/UI5Xss/xss-html-control-oneway)
- `sap.ui.core.HTML` Control
- one-way binding makes the xss fail
Expand All @@ -57,7 +70,7 @@ User input flows to XSS sinks via event handlers in 4 different ways:

### [xss-html-view](queries/UI5Xss/xss-html-view)
- `sap.ui.core.mvc.HTMLView` View
-

### [xss-indirect-control](queries/UI5Xss/xss-indirect-control)
- control accessed indirectly

Expand Down
Empty file added javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control sanitized/UI5Xss.expected
View file
Open in desktop
Empty file.
1 change: 1 addition & 0 deletions javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control sanitized/UI5Xss.qlref
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
UI5Xss/UI5Xss.ql
Comment thread Fixed
12 changes: 12 additions & 0 deletions javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control sanitized/package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control sanitized/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{
"name": "sap-ui5-xss",
"version": "1.0.0",
"main": "index.js"
}
7 changes: 7 additions & 0 deletions javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control sanitized/ui5.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
specVersion: '3.0'
metadata:
name: sap-ui5-xss
type: application
framework:
name: SAPUI5
version: "1.115.0"
15 changes: 15 additions & 0 deletions ...ks/ui5/test/queries/UI5Xss/xss-html-control sanitized/webapp/controller/app.controller.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
sap.ui.define([
"sap/ui/core/mvc/Controller",
"sap/ui/model/json/JSONModel"
], function (Controller, JSONModel) {
"use strict"
return Controller.extend("codeql-sap-js.controller.app", {
onInit: function () {
var oData = {
input: null
};
var oModel = new JSONModel(oData);
this.getView().setModel(oModel);
}
});
})
21 changes: 21 additions & 0 deletions javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control sanitized/webapp/index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
<!DOCTYPE html>
<html>

<head>

<meta charset="utf-8">
<title>SAPUI5 XSS</title>
<script src="https://sdk.openui5.org/resources/sap-ui-core.js"
data-sap-ui-libs="sap.m"
data-sap-ui-onInit="module:codeql-sap-js/index"
data-sap-ui-resourceroots='{
"codeql-sap-js": "./"
}'>
</script>
</head>

<body class="sapUiBody" id="content">

</body>

</html>
11 changes: 11 additions & 0 deletions javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control sanitized/webapp/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
sap.ui.define([
"sap/ui/core/mvc/XMLView"
], function (XMLView) {
"use strict";
XMLView.create({
viewName: "codeql-sap-js.view.app"
}).then(function (oView) {
oView.placeAt("content");
});

});
5 changes: 5 additions & 0 deletions ...script/frameworks/ui5/test/queries/UI5Xss/xss-html-control sanitized/webapp/manifest.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{
"sap.app": {
"id": "sap-ui5-xss"
}
}
9 changes: 9 additions & 0 deletions ...pt/frameworks/ui5/test/queries/UI5Xss/xss-html-control sanitized/webapp/view/app.view.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
<mvc:View controllerName="codeql-sap-js.controller.app"
xmlns="sap.m"
xmlns:core="sap.ui.core"
xmlns:mvc="sap.ui.core.mvc">
<Input placeholder="Enter Payload"
description="Try: &lt;img src=x onerror=alert(&quot;XSS&quot;)&gt;"
value="{/input}" /> <!--User input source sap.m.Input.value -->
<core:HTML content="{/input}" sanitizeContent="true" /> <!-- sanitized XSS sink sap.ui.core.HTML.content -->
</mvc:View>
24 changes: 24 additions & 0 deletions .../frameworks/ui5/test/queries/UI5Xss/xss-html-control-df sanitized-disable/UI5Xss.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
nodes
| webapp/controller/app.controller.js:9:17:9:27 | input: null |
| webapp/controller/app.controller.js:10:17:10:28 | output: null |
| webapp/controller/app.controller.js:12:26:12:45 | new JSONModel(oData) |
| webapp/controller/app.controller.js:15:17:15:21 | input |
| webapp/controller/app.controller.js:15:25:15:52 | oModel. ... input') |
| webapp/controller/app.controller.js:16:43:16:47 | input |
| webapp/view/app.view.xml:5:5:7:28 | value={/input} |
| webapp/view/app.view.xml:8:5:8:37 | content={/output} |
edges
| webapp/controller/app.controller.js:9:17:9:27 | input: null | webapp/controller/app.controller.js:15:25:15:52 | oModel. ... input') |
| webapp/controller/app.controller.js:9:17:9:27 | input: null | webapp/view/app.view.xml:5:5:7:28 | value={/input} |
| webapp/controller/app.controller.js:10:17:10:28 | output: null | webapp/view/app.view.xml:8:5:8:37 | content={/output} |
| webapp/controller/app.controller.js:12:26:12:45 | new JSONModel(oData) | webapp/controller/app.controller.js:15:25:15:52 | oModel. ... input') |
| webapp/controller/app.controller.js:12:26:12:45 | new JSONModel(oData) | webapp/view/app.view.xml:8:5:8:37 | content={/output} |
| webapp/controller/app.controller.js:15:17:15:21 | input | webapp/controller/app.controller.js:16:43:16:47 | input |
| webapp/controller/app.controller.js:15:25:15:52 | oModel. ... input') | webapp/controller/app.controller.js:15:17:15:21 | input |
| webapp/controller/app.controller.js:16:43:16:47 | input | webapp/controller/app.controller.js:10:17:10:28 | output: null |
| webapp/controller/app.controller.js:16:43:16:47 | input | webapp/controller/app.controller.js:12:26:12:45 | new JSONModel(oData) |
| webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:9:17:9:27 | input: null |
| webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:12:26:12:45 | new JSONModel(oData) |
| webapp/view/app.view.xml:8:5:8:37 | content={/output} | webapp/controller/app.controller.js:10:17:10:28 | output: null |
#select
| webapp/view/app.view.xml:8:5:8:37 | content={/output} | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/view/app.view.xml:8:5:8:37 | content={/output} | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |
1 change: 1 addition & 0 deletions ...ipt/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df sanitized-disable/UI5Xss.qlref
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
UI5Xss/UI5Xss.ql
Comment thread Fixed
12 changes: 12 additions & 0 deletions ...rameworks/ui5/test/queries/UI5Xss/xss-html-control-df sanitized-disable/package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions ...ipt/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df sanitized-disable/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{
"name": "sap-ui5-xss",
"version": "1.0.0",
"main": "index.js"
}
7 changes: 7 additions & 0 deletions javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df sanitized-disable/ui5.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
specVersion: '3.0'
metadata:
name: sap-ui5-xss
type: application
framework:
name: SAPUI5
version: "1.115.0"
25 changes: 25 additions & 0 deletions .../queries/UI5Xss/xss-html-control-df sanitized-disable/webapp/controller/app.controller.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
sap.ui.define([
"sap/ui/core/mvc/Controller",
"sap/ui/model/json/JSONModel"
], function (Controller, JSONModel) {
"use strict";
return Controller.extend("codeql-sap-js.controller.app", {
onInit: function () {
var oData = {
input: null,
output: null,
};
var oModel = new JSONModel(oData);
this.getView().setModel(oModel);

// enable sanitization programmatically
this.getView().setProperty("sanitizeContent", false);
this.getView().byId("htmlControl").setProperty("sanitizeContent", false);
this.getView().byId("htmlControl").sanitizeContent = false;

var input = oModel.getProperty('/input');
oModel.setProperty('/output', input);
}
});
}
);
21 changes: 21 additions & 0 deletions ...rameworks/ui5/test/queries/UI5Xss/xss-html-control-df sanitized-disable/webapp/index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
<!DOCTYPE html>
<html>

<head>

<meta charset="utf-8">
<title>SAPUI5 XSS</title>
<script src="https://sdk.openui5.org/resources/sap-ui-core.js"
data-sap-ui-libs="sap.m"
data-sap-ui-onInit="module:codeql-sap-js/index"
data-sap-ui-resourceroots='{
"codeql-sap-js": "./"
}'>
</script>
</head>

<body class="sapUiBody" id="content">

</body>

</html>
11 changes: 11 additions & 0 deletions .../frameworks/ui5/test/queries/UI5Xss/xss-html-control-df sanitized-disable/webapp/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
sap.ui.define([
"sap/ui/core/mvc/XMLView"
], function (XMLView) {
"use strict";
XMLView.create({
viewName: "codeql-sap-js.view.app"
}).then(function (oView) {
oView.placeAt("content");
});

});
5 changes: 5 additions & 0 deletions ...eworks/ui5/test/queries/UI5Xss/xss-html-control-df sanitized-disable/webapp/manifest.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{
"sap.app": {
"id": "sap-ui5-xss"
}
}
9 changes: 9 additions & 0 deletions ...ks/ui5/test/queries/UI5Xss/xss-html-control-df sanitized-disable/webapp/view/app.view.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
<mvc:View controllerName="codeql-sap-js.controller.app"
xmlns="sap.m"
xmlns:core="sap.ui.core"
xmlns:mvc="sap.ui.core.mvc">
<Input placeholder="Enter Payload"
description="Try: &lt;img src=x onerror=alert(&quot;XSS&quot;)&gt;"
value="{/input}" /> <!--User input source sap.m.Input.value -->
<core:HTML id="htmlControl" content="{/output}" sanitizeContent="true" /> <!--XSS sink sap.ui.core.HTML.content -->
</mvc:View>
24 changes: 24 additions & 0 deletions javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df sanitized/UI5Xss.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
nodes
| webapp/controller/app.controller.js:9:17:9:27 | input: null |
| webapp/controller/app.controller.js:10:17:10:28 | output: null |
| webapp/controller/app.controller.js:12:26:12:45 | new JSONModel(oData) |
| webapp/controller/app.controller.js:15:17:15:21 | input |
| webapp/controller/app.controller.js:15:25:15:52 | oModel. ... input') |
| webapp/controller/app.controller.js:16:43:16:47 | input |
| webapp/view/app.view.xml:5:5:7:28 | value={/input} |
| webapp/view/app.view.xml:8:5:8:37 | content={/output} |
edges
| webapp/controller/app.controller.js:9:17:9:27 | input: null | webapp/controller/app.controller.js:15:25:15:52 | oModel. ... input') |
| webapp/controller/app.controller.js:9:17:9:27 | input: null | webapp/view/app.view.xml:5:5:7:28 | value={/input} |
| webapp/controller/app.controller.js:10:17:10:28 | output: null | webapp/view/app.view.xml:8:5:8:37 | content={/output} |
| webapp/controller/app.controller.js:12:26:12:45 | new JSONModel(oData) | webapp/controller/app.controller.js:15:25:15:52 | oModel. ... input') |
| webapp/controller/app.controller.js:12:26:12:45 | new JSONModel(oData) | webapp/view/app.view.xml:8:5:8:37 | content={/output} |
| webapp/controller/app.controller.js:15:17:15:21 | input | webapp/controller/app.controller.js:16:43:16:47 | input |
| webapp/controller/app.controller.js:15:25:15:52 | oModel. ... input') | webapp/controller/app.controller.js:15:17:15:21 | input |
| webapp/controller/app.controller.js:16:43:16:47 | input | webapp/controller/app.controller.js:10:17:10:28 | output: null |
| webapp/controller/app.controller.js:16:43:16:47 | input | webapp/controller/app.controller.js:12:26:12:45 | new JSONModel(oData) |
| webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:9:17:9:27 | input: null |
| webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:12:26:12:45 | new JSONModel(oData) |
| webapp/view/app.view.xml:8:5:8:37 | content={/output} | webapp/controller/app.controller.js:10:17:10:28 | output: null |
#select
| webapp/view/app.view.xml:8:5:8:37 | content={/output} | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/view/app.view.xml:8:5:8:37 | content={/output} | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |
1 change: 1 addition & 0 deletions javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df sanitized/UI5Xss.qlref
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
UI5Xss/UI5Xss.ql
Comment thread Fixed
12 changes: 12 additions & 0 deletions ...script/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df sanitized/package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df sanitized/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{
"name": "sap-ui5-xss",
"version": "1.0.0",
"main": "index.js"
}
7 changes: 7 additions & 0 deletions javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df sanitized/ui5.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
specVersion: '3.0'
metadata:
name: sap-ui5-xss
type: application
framework:
name: SAPUI5
version: "1.115.0"
25 changes: 25 additions & 0 deletions ...ui5/test/queries/UI5Xss/xss-html-control-df sanitized/webapp/controller/app.controller.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
sap.ui.define([
"sap/ui/core/mvc/Controller",
"sap/ui/model/json/JSONModel"
], function (Controller, JSONModel) {
"use strict";
return Controller.extend("codeql-sap-js.controller.app", {
onInit: function () {
var oData = {
input: null,
output: null,
};
var oModel = new JSONModel(oData);
this.getView().setModel(oModel);

// enable sanitization programmatically
//this.getView().setProperty("sanitizeContent", true);
this.getView().byId("htmlControl").setProperty("sanitizeContent", true);
this.getView().byId("htmlControl").sanitizeContent = true;

var input = oModel.getProperty('/input');
oModel.setProperty('/output', input);
}
});
}
);
21 changes: 21 additions & 0 deletions ...script/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df sanitized/webapp/index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
<!DOCTYPE html>
<html>

<head>

<meta charset="utf-8">
<title>SAPUI5 XSS</title>
<script src="https://sdk.openui5.org/resources/sap-ui-core.js"
data-sap-ui-libs="sap.m"
data-sap-ui-onInit="module:codeql-sap-js/index"
data-sap-ui-resourceroots='{
"codeql-sap-js": "./"
}'>
</script>
</head>

<body class="sapUiBody" id="content">

</body>

</html>
Loading
Loading