Add context/path information to JSON-based string accesses

[vladidx]

JSON objects are often created from XHR responses and then flowing into the DOM (potentially without escaping).
It would be quite helpful to know the path/context of the tainted string within the JSON object, e.g. as part of the arguments:

Ideally, the context information would be a kind of XPath for JSON as described here.

[tmbrbr]

@vladidx would you also need the entire JSON content as an additional argument, or do you have this information from e.g. the XHR response? Adding the entire JSON string as an argument might be quite memory intensive...

[vladidx]

No, the JSON content is not needed

[tmbrbr]

I'm working on a fix for this which would give:

"?.d.BookingExtension.BookingComment"

as the JSON Path for the above example. Would this be sufficient?

[vladidx]

Yes, that would be already sufficient, thanks.

[tmbrbr]

Ooops, just checked the spec again, I guess it should be a leading $ instead of a ?

[vladidx]

👍

[tmbrbr]

This is implemented with #200