phoedos/pmd
1
1
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

@W-8680425@: Added LINKTO back into the list of inherently safe functions.

Browse Source
This commit is contained in:
Joshua Feingold
2021-01-29 10:02:09 -06:00
parent a4916f94fc
commit d88d8ff913
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/internal/ElEscapeDetector.java
View File

@ -41,7 +41,7 @@ public final class ElEscapeDetector {
// These Text functions are safe, either because of what they accept or what they return.
"begins", "br", "casesafeid", "contains", "find", "getsessionid", "ispickval", "len",
// These Advanced functions are safe because of what they accept or what they return.
"currencyrate", "getrecordids", "ischanged", "junctionidlist", "regex", "urlfor"
"currencyrate", "getrecordids", "ischanged", "junctionidlist", "linkto", "regex", "urlfor"
));
private static final Set<String> FUNCTIONS_WITH_XSSABLE_ARG0 = new HashSet<>(Arrays.asList(
// For these methods, the first argument is a string that must be escaped.