From e983e26f68db7459d42ad114368409130a15ab9c Mon Sep 17 00:00:00 2001
From: Asger F <asgerf@github.com>
Date: Fri, 17 Jan 2025 10:28:07 +0100
Subject: [PATCH] JS: Add example with safe field

---
 .../XssThroughDom/XssThroughDom.expected      | 22 +++++++++----------
 .../Security/CWE-079/XssThroughDom/angular.ts |  2 ++
 2 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
index a755431deec4..ad132e1cf706 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
@@ -1,6 +1,6 @@
 edges
-| angular.ts:12:5:12:23 | field: string = ""; | angular.ts:27:24:27:33 | this.field | provenance |  |
-| angular.ts:23:24:23:33 | form.value | angular.ts:23:24:23:37 | form.value.foo | provenance |  |
+| angular.ts:12:5:12:23 | field: string = ""; | angular.ts:28:24:28:33 | this.field | provenance |  |
+| angular.ts:24:24:24:33 | form.value | angular.ts:24:24:24:37 | form.value.foo | provenance |  |
 | forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values | provenance |  |
 | forms.js:9:31:9:36 | values | forms.js:9:31:9:40 | values.foo | provenance |  |
 | forms.js:11:24:11:29 | values | forms.js:12:31:12:36 | values | provenance |  |
@@ -45,11 +45,11 @@ edges
 | xss-through-dom.js:159:34:159:52 | $("textarea").val() | xss-through-dom.js:154:25:154:27 | msg | provenance |  |
 nodes
 | angular.ts:12:5:12:23 | field: string = ""; | semmle.label | field: string = ""; |
-| angular.ts:15:24:15:41 | event.target.value | semmle.label | event.target.value |
-| angular.ts:19:24:19:35 | target.value | semmle.label | target.value |
-| angular.ts:23:24:23:33 | form.value | semmle.label | form.value |
-| angular.ts:23:24:23:37 | form.value.foo | semmle.label | form.value.foo |
-| angular.ts:27:24:27:33 | this.field | semmle.label | this.field |
+| angular.ts:16:24:16:41 | event.target.value | semmle.label | event.target.value |
+| angular.ts:20:24:20:35 | target.value | semmle.label | target.value |
+| angular.ts:24:24:24:33 | form.value | semmle.label | form.value |
+| angular.ts:24:24:24:37 | form.value.foo | semmle.label | form.value.foo |
+| angular.ts:28:24:28:33 | this.field | semmle.label | this.field |
 | forms.js:8:23:8:28 | values | semmle.label | values |
 | forms.js:9:31:9:36 | values | semmle.label | values |
 | forms.js:9:31:9:40 | values.foo | semmle.label | values.foo |
@@ -132,10 +132,10 @@ nodes
 | xss-through-dom.js:159:34:159:52 | $("textarea").val() | semmle.label | $("textarea").val() |
 subpaths
 #select
-| angular.ts:15:24:15:41 | event.target.value | angular.ts:15:24:15:41 | event.target.value | angular.ts:15:24:15:41 | event.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:15:24:15:41 | event.target.value | DOM text |
-| angular.ts:19:24:19:35 | target.value | angular.ts:19:24:19:35 | target.value | angular.ts:19:24:19:35 | target.value | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:19:24:19:35 | target.value | DOM text |
-| angular.ts:23:24:23:37 | form.value.foo | angular.ts:23:24:23:33 | form.value | angular.ts:23:24:23:37 | form.value.foo | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:23:24:23:33 | form.value | DOM text |
-| angular.ts:27:24:27:33 | this.field | angular.ts:12:5:12:23 | field: string = ""; | angular.ts:27:24:27:33 | this.field | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:12:5:12:23 | field: string = ""; | DOM text |
+| angular.ts:16:24:16:41 | event.target.value | angular.ts:16:24:16:41 | event.target.value | angular.ts:16:24:16:41 | event.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:16:24:16:41 | event.target.value | DOM text |
+| angular.ts:20:24:20:35 | target.value | angular.ts:20:24:20:35 | target.value | angular.ts:20:24:20:35 | target.value | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:20:24:20:35 | target.value | DOM text |
+| angular.ts:24:24:24:37 | form.value.foo | angular.ts:24:24:24:33 | form.value | angular.ts:24:24:24:37 | form.value.foo | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:24:24:24:33 | form.value | DOM text |
+| angular.ts:28:24:28:33 | this.field | angular.ts:12:5:12:23 | field: string = ""; | angular.ts:28:24:28:33 | this.field | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:12:5:12:23 | field: string = ""; | DOM text |
 | forms.js:9:31:9:40 | values.foo | forms.js:8:23:8:28 | values | forms.js:9:31:9:40 | values.foo | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:8:23:8:28 | values | DOM text |
 | forms.js:12:31:12:40 | values.bar | forms.js:11:24:11:29 | values | forms.js:12:31:12:40 | values.bar | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:11:24:11:29 | values | DOM text |
 | forms.js:25:23:25:34 | values.email | forms.js:24:15:24:20 | values | forms.js:25:23:25:34 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:24:15:24:20 | values | DOM text |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts
index ad44929b1c76..1787e5380db6 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts
@@ -10,6 +10,7 @@ import { NgForm } from "@angular/forms";
 })
 export class Foo {
     field: string = "";
+    safeField: string = "";
 
     setInput1(event) {
         document.write(event.target.value); // NOT OK
@@ -25,5 +26,6 @@ export class Foo {
 
     useField() {
         document.write(this.field); // NOT OK
+        document.write(this.safeField); // OK
     }
 }