Open maltek opened 1 year ago
Unfortunately, with the current babel parser that's not possible as these EJS tags can occur in quite weird combination resulting in unparsable code. Thus, I had to strip them away (see: https://github.com/joernio/joern/blob/master/joern-cli/frontends/jssrc2cpg/src/test/scala/io/joern/jssrc2cpg/preprocessing/EjsPreprocessorTest.scala). Hence, the DOM nodes are dropped. One might be able to re-scan the original ejs file to find e.g., something like the XSS in your example.
So in other words Babel does not support EJS and we strip away the EJS parts that Babel does not understand?
Exactly. EJS templates are neither valid HTML code (that's why I can't use jsoup e.g.) nor valid JS/JSX (EJS allows for embedding any JS construct in a template tag - but JSX allows for expressions only).
for a snippet like
ideally we'd have
<a ...
href=...
(we know it's an attribute because the code doesn't start with<
)<%-output.products[i].id%>
(XSS risk)output.products[i].id
(already exists)