• CodeQL query help documentation »
• CodeQL query help for JavaScript and TypeScript »

Replacement of a substring with itself

ID: js/identity-replacement Kind: problem Security severity: 5.0 Severity: warning Precision: very-high Tags: - correctness - security - external/cwe/cwe-116 Query suites: - javascript-code-scanning.qls - javascript-security-extended.qls - javascript-security-and-quality.qls 

Click to see the query in the CodeQL repository

Replacing a substring with itself has no effect and usually indicates a mistake, such as misspelling a backslash escape.

Recommendation

Examine the string replacement to find and correct any typos.

Example

The following code snippet attempts to backslash-escape all double quotes in raw by replacing all instances of " with \":

varescaped=raw.replace(/"/g,'\"');

However, the replacement string '\"' is actually the same as '"', with \" interpreted as an identity escape, so the replacement does nothing. Instead, the replacement string should be '\\"':

varescaped=raw.replace(/"/g,'\\"');

References

• Mozilla Developer Network: String escape notation.

• Common Weakness Enumeration: CWE-116.

• © GitHub, Inc.
• Terms
• Privacy