Javascript Cheatsheets

Finds function calls of the form `eval(...)`

Finds functions that are passed as arguments to other functions

Finds classes that do not declare an explicit constructor

Finds property accesses using the square bracket notation where the property name is a constant string

Finds places where we declare a variable called `v`

Tracks the return value of an HTML sanitizer into an escape-sequence decoder, indicating an ineffective sanitization attempt.

Tracks the return value of 'escapeHtml' into 'decodeURI', indicating an ineffective sanitization attempt.

Finds 'default' exports that export a function

Finds empty block statements

Finds yield expressions without an operand

Finds `==` equality expressions that form an expression statement

Extends the standard Stored XSS query with an additional source, using TrackedNode to track MySQL connections globally.

Extends the standard Stored XSS query with an additional source.

Finds files called `index.js`

Finds classes called 'File'

Generates use-definition pairs that provide the data for find-references in the code viewer.

Finds functions with more than ten parameters

Finds functions that do not contain a return statement

Finds generator functions

Finds cases where the 'userId' field in a request to another service is an arbitrary user-controlled value, indicating lack of authentication.

Finds 'if' statements where the 'then' branch is an empty block statement

Finds calls of the form `(function(...) { ... })(...)`

Finds import statements that import from module 'react'

Tracks values from an 'authKey' property into a postMessage call with unrestricted origin, indicating a leak of sensitive information.

Finds JSX attributes named `dangerouslySetInnerHTML`

Generates use-definition pairs that provide the data for jump-to-definition in the code viewer.

Finds calls of the form `this.isMounted(...)`

Finds methods named 'render'

Finds function expressions that have a name

Finds new expressions of the form `new RegExp(...)`

Finds parameters called 'arguments'

Outputs a representation of a file's Abstract Syntax Tree. This query is used by the VS Code extension.

Finds property accesses of the form `x.innerHTML`

Finds places where we reference a variable called `var`

Finds string literals using single quotes

Finds block statements containing a single statement

Finds tagged template expressions

Tracks user-controlled values into 'eval' calls (special case of js/code-injection), and generates a visualizable path from the source to the sink.

Tracks user-controlled values into 'eval' calls (special case of js/code-injection).

Tracks user-controlled values to an unescaped lodash template placeholder.

Finds expressions of the form `e % 2 === 0`

Finds comments containing the word TODO