javascript:S4817 reports on literals

The “Executing XPath expressions is security-sensitive” is a very generic “don’t trust user data” warning, which is always a false positive on any literal xpath. It could further be reduced to only complain about paths where the contents of the xpath is derived from user controlled data, but not complaining on code like this is a start:

var appointments = data.selectNodes("/items/appt");

edit: I guess SONARJAVA-3028 but for JavaScript as well.


Thanks, ticket created for JS

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.