Address review 2

Author: mbaluda

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll

@@ -861,6 +861,12 @@ class UI5Control extends TUI5Control {
       node.getArgument(0).getStringValue() = propName and
       not node.getArgument(1).mayHaveBooleanValue(val.booleanNot())
     )
+    or
+    /* 3. `sanitizeContent` attribute is set programmatically using a setter. */
+    exists(CallNode node |
+      node = this.getAReference().getAMemberCall("setS" + propName.suffix(1)) and
+      not node.getArgument(0).mayHaveBooleanValue(val.booleanNot())
+    )
   }
 }
 

javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/UI5Xss.expected

@@ -4,6 +4,8 @@ nodes
 | webapp/controller/app.controller.js:11:17:11:28 | input2: null |
 | webapp/controller/app.controller.js:12:17:12:28 | input3: null |
 | webapp/controller/app.controller.js:13:17:13:28 | input4: null |
+| webapp/controller/app.controller.js:14:17:14:28 | input5: null |
+| webapp/controller/app.controller.js:15:17:15:28 | input6: null |
 | webapp/view/app.view.xml:6:5:8:28 | value={/input} |
 | webapp/view/app.view.xml:9:5:10:28 | value={/input} |
 | webapp/view/app.view.xml:11:5:12:28 | value={/input} |
@@ -23,7 +25,11 @@ nodes
 | webapp/view/app.view.xml:42:5:44:29 | value={/input3} |
 | webapp/view/app.view.xml:45:5:45:59 | content={/input3} |
 | webapp/view/app.view.xml:47:5:49:29 | value={/input4} |
-| webapp/view/app.view.xml:50:5:50:80 | content={/input4} |
+| webapp/view/app.view.xml:50:5:50:81 | content={/input4} |
+| webapp/view/app.view.xml:52:5:54:29 | value={/input5} |
+| webapp/view/app.view.xml:55:5:55:59 | content={/input5} |
+| webapp/view/app.view.xml:57:5:57:43 | value={/input} |
+| webapp/view/app.view.xml:58:5:58:65 | value={/input6} |
 edges
 | webapp/controller/app.controller.js:9:17:9:28 | input0: null | webapp/view/app.view.xml:27:5:29:29 | value={/input0} |
 | webapp/controller/app.controller.js:9:17:9:28 | input0: null | webapp/view/app.view.xml:30:5:30:37 | content={/input0} |
@@ -34,38 +40,51 @@ edges
 | webapp/controller/app.controller.js:12:17:12:28 | input3: null | webapp/view/app.view.xml:42:5:44:29 | value={/input3} |
 | webapp/controller/app.controller.js:12:17:12:28 | input3: null | webapp/view/app.view.xml:45:5:45:59 | content={/input3} |
 | webapp/controller/app.controller.js:13:17:13:28 | input4: null | webapp/view/app.view.xml:47:5:49:29 | value={/input4} |
-| webapp/controller/app.controller.js:13:17:13:28 | input4: null | webapp/view/app.view.xml:50:5:50:80 | content={/input4} |
-| webapp/controller/app.controller.js:15:26:15:45 | new JSONModel(oData) | webapp/view/app.view.xml:25:5:25:36 | content={/input} |
-| webapp/controller/app.controller.js:15:26:15:45 | new JSONModel(oData) | webapp/view/app.view.xml:30:5:30:37 | content={/input0} |
-| webapp/controller/app.controller.js:15:26:15:45 | new JSONModel(oData) | webapp/view/app.view.xml:35:5:35:79 | content={/input1} |
-| webapp/controller/app.controller.js:15:26:15:45 | new JSONModel(oData) | webapp/view/app.view.xml:40:5:40:59 | content={/input2} |
-| webapp/controller/app.controller.js:15:26:15:45 | new JSONModel(oData) | webapp/view/app.view.xml:45:5:45:59 | content={/input3} |
-| webapp/controller/app.controller.js:15:26:15:45 | new JSONModel(oData) | webapp/view/app.view.xml:50:5:50:80 | content={/input4} |
-| webapp/view/app.view.xml:6:5:8:28 | value={/input} | webapp/controller/app.controller.js:15:26:15:45 | new JSONModel(oData) |
-| webapp/view/app.view.xml:9:5:10:28 | value={/input} | webapp/controller/app.controller.js:15:26:15:45 | new JSONModel(oData) |
-| webapp/view/app.view.xml:11:5:12:28 | value={/input} | webapp/controller/app.controller.js:15:26:15:45 | new JSONModel(oData) |
-| webapp/view/app.view.xml:13:5:14:28 | value={/input} | webapp/controller/app.controller.js:15:26:15:45 | new JSONModel(oData) |
-| webapp/view/app.view.xml:15:5:16:28 | value={/input} | webapp/controller/app.controller.js:15:26:15:45 | new JSONModel(oData) |
-| webapp/view/app.view.xml:17:5:18:28 | value={/input} | webapp/controller/app.controller.js:15:26:15:45 | new JSONModel(oData) |
-| webapp/view/app.view.xml:19:5:20:28 | value={/input} | webapp/controller/app.controller.js:15:26:15:45 | new JSONModel(oData) |
-| webapp/view/app.view.xml:21:5:22:28 | value={/input} | webapp/controller/app.controller.js:15:26:15:45 | new JSONModel(oData) |
-| webapp/view/app.view.xml:23:5:24:28 | value={/input} | webapp/controller/app.controller.js:15:26:15:45 | new JSONModel(oData) |
+| webapp/controller/app.controller.js:13:17:13:28 | input4: null | webapp/view/app.view.xml:50:5:50:81 | content={/input4} |
+| webapp/controller/app.controller.js:14:17:14:28 | input5: null | webapp/view/app.view.xml:52:5:54:29 | value={/input5} |
+| webapp/controller/app.controller.js:14:17:14:28 | input5: null | webapp/view/app.view.xml:55:5:55:59 | content={/input5} |
+| webapp/controller/app.controller.js:15:17:15:28 | input6: null | webapp/view/app.view.xml:58:5:58:65 | value={/input6} |
+| webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) | webapp/view/app.view.xml:25:5:25:36 | content={/input} |
+| webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) | webapp/view/app.view.xml:30:5:30:37 | content={/input0} |
+| webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) | webapp/view/app.view.xml:35:5:35:79 | content={/input1} |
+| webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) | webapp/view/app.view.xml:40:5:40:59 | content={/input2} |
+| webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) | webapp/view/app.view.xml:45:5:45:59 | content={/input3} |
+| webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) | webapp/view/app.view.xml:50:5:50:81 | content={/input4} |
+| webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) | webapp/view/app.view.xml:55:5:55:59 | content={/input5} |
+| webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) | webapp/view/app.view.xml:57:5:57:43 | value={/input} |
+| webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) | webapp/view/app.view.xml:58:5:58:65 | value={/input6} |
+| webapp/view/app.view.xml:6:5:8:28 | value={/input} | webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) |
+| webapp/view/app.view.xml:9:5:10:28 | value={/input} | webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) |
+| webapp/view/app.view.xml:11:5:12:28 | value={/input} | webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) |
+| webapp/view/app.view.xml:13:5:14:28 | value={/input} | webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) |
+| webapp/view/app.view.xml:15:5:16:28 | value={/input} | webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) |
+| webapp/view/app.view.xml:17:5:18:28 | value={/input} | webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) |
+| webapp/view/app.view.xml:19:5:20:28 | value={/input} | webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) |
+| webapp/view/app.view.xml:21:5:22:28 | value={/input} | webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) |
+| webapp/view/app.view.xml:23:5:24:28 | value={/input} | webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) |
 | webapp/view/app.view.xml:27:5:29:29 | value={/input0} | webapp/controller/app.controller.js:9:17:9:28 | input0: null |
-| webapp/view/app.view.xml:27:5:29:29 | value={/input0} | webapp/controller/app.controller.js:15:26:15:45 | new JSONModel(oData) |
+| webapp/view/app.view.xml:27:5:29:29 | value={/input0} | webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) |
 | webapp/view/app.view.xml:30:5:30:37 | content={/input0} | webapp/controller/app.controller.js:9:17:9:28 | input0: null |
 | webapp/view/app.view.xml:32:5:34:29 | value={/input1} | webapp/controller/app.controller.js:10:17:10:28 | input1: null |
-| webapp/view/app.view.xml:32:5:34:29 | value={/input1} | webapp/controller/app.controller.js:15:26:15:45 | new JSONModel(oData) |
+| webapp/view/app.view.xml:32:5:34:29 | value={/input1} | webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) |
 | webapp/view/app.view.xml:35:5:35:79 | content={/input1} | webapp/controller/app.controller.js:10:17:10:28 | input1: null |
 | webapp/view/app.view.xml:37:5:39:29 | value={/input2} | webapp/controller/app.controller.js:11:17:11:28 | input2: null |
-| webapp/view/app.view.xml:37:5:39:29 | value={/input2} | webapp/controller/app.controller.js:15:26:15:45 | new JSONModel(oData) |
+| webapp/view/app.view.xml:37:5:39:29 | value={/input2} | webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) |
 | webapp/view/app.view.xml:40:5:40:59 | content={/input2} | webapp/controller/app.controller.js:11:17:11:28 | input2: null |
 | webapp/view/app.view.xml:42:5:44:29 | value={/input3} | webapp/controller/app.controller.js:12:17:12:28 | input3: null |
-| webapp/view/app.view.xml:42:5:44:29 | value={/input3} | webapp/controller/app.controller.js:15:26:15:45 | new JSONModel(oData) |
+| webapp/view/app.view.xml:42:5:44:29 | value={/input3} | webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) |
 | webapp/view/app.view.xml:45:5:45:59 | content={/input3} | webapp/controller/app.controller.js:12:17:12:28 | input3: null |
 | webapp/view/app.view.xml:47:5:49:29 | value={/input4} | webapp/controller/app.controller.js:13:17:13:28 | input4: null |
-| webapp/view/app.view.xml:47:5:49:29 | value={/input4} | webapp/controller/app.controller.js:15:26:15:45 | new JSONModel(oData) |
-| webapp/view/app.view.xml:50:5:50:80 | content={/input4} | webapp/controller/app.controller.js:13:17:13:28 | input4: null |
+| webapp/view/app.view.xml:47:5:49:29 | value={/input4} | webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) |
+| webapp/view/app.view.xml:50:5:50:81 | content={/input4} | webapp/controller/app.controller.js:13:17:13:28 | input4: null |
+| webapp/view/app.view.xml:52:5:54:29 | value={/input5} | webapp/controller/app.controller.js:14:17:14:28 | input5: null |
+| webapp/view/app.view.xml:52:5:54:29 | value={/input5} | webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) |
+| webapp/view/app.view.xml:55:5:55:59 | content={/input5} | webapp/controller/app.controller.js:14:17:14:28 | input5: null |
+| webapp/view/app.view.xml:57:5:57:43 | value={/input} | webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) |
+| webapp/view/app.view.xml:58:5:58:65 | value={/input6} | webapp/controller/app.controller.js:15:17:15:28 | input6: null |
+| webapp/view/app.view.xml:58:5:58:65 | value={/input6} | webapp/controller/app.controller.js:17:26:17:45 | new JSONModel(oData) |
 #select
 | webapp/view/app.view.xml:30:5:30:37 | content={/input0} | webapp/view/app.view.xml:27:5:29:29 | value={/input0} | webapp/view/app.view.xml:30:5:30:37 | content={/input0} | XSS vulnerability due to $@. | webapp/view/app.view.xml:27:5:29:29 | value={/input0} | user-provided value |
 | webapp/view/app.view.xml:45:5:45:59 | content={/input3} | webapp/view/app.view.xml:42:5:44:29 | value={/input3} | webapp/view/app.view.xml:45:5:45:59 | content={/input3} | XSS vulnerability due to $@. | webapp/view/app.view.xml:42:5:44:29 | value={/input3} | user-provided value |
-| webapp/view/app.view.xml:50:5:50:80 | content={/input4} | webapp/view/app.view.xml:47:5:49:29 | value={/input4} | webapp/view/app.view.xml:50:5:50:80 | content={/input4} | XSS vulnerability due to $@. | webapp/view/app.view.xml:47:5:49:29 | value={/input4} | user-provided value |
+| webapp/view/app.view.xml:50:5:50:81 | content={/input4} | webapp/view/app.view.xml:47:5:49:29 | value={/input4} | webapp/view/app.view.xml:50:5:50:81 | content={/input4} | XSS vulnerability due to $@. | webapp/view/app.view.xml:47:5:49:29 | value={/input4} | user-provided value |
+| webapp/view/app.view.xml:58:5:58:65 | value={/input6} | webapp/view/app.view.xml:58:5:58:65 | value={/input6} | webapp/view/app.view.xml:58:5:58:65 | value={/input6} | XSS vulnerability due to $@. | webapp/view/app.view.xml:58:5:58:65 | value={/input6} | user-provided value |

javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js

@@ -10,19 +10,23 @@ sap.ui.define([
                 input1: null,
                 input2: null,
                 input3: null,
-                input4: null
+                input4: null,
+                input5: null,
+                input6: null
             };
             var oModel = new JSONModel(oData);
             this.getView().setModel(oModel);
-            
+
             // enable sanitization programmatically
-            this.getView().byId("htmlJsSanitized2").setProperty("sanitizeContent", true);
+            this.getView().byId("htmlJsSanitized2").setProperty("sanitizeContent", true); /* SAFE */
+
+            this.getView().byId("htmlJsSanitized3").sanitizeContent = true; /* UNSAFE: setting the property directly is not sufficient */
+
+            this.getView().byId("htmlUnsanitized").setProperty("sanitizeContent", false); /* UNSAFE: setProperty(..., false) */
 
-            // setting the property directly is not sufficient
-            this.getView().byId("htmlJsSanitized3").sanitizeContent = true;
+            this.getView().byId("htmlJsSanitized5").setSanitizeContent(true); /* SAFE: setSanitizeContent(true) */
 
-            // disable sanitization programmatically
-            this.getView().byId("htmUnsanitized").setProperty("sanitizeContent", false);
+            this.getView().byId("rteUnsanitized").setSanitizeValue(false); /* UNSAFE: RTE setSanitizeContent(false) */
         }
     });
 })

javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml

@@ -1,8 +1,8 @@
 <mvc:View controllerName="codeql-sap-js.controller.app"
     xmlns="sap.m"
     xmlns:core="sap.ui.core"
-    xmlns:mvc="sap.ui.core.mvc">
-    
+    xmlns:mvc="sap.ui.core.mvc"
+    xmlns:rte="sap.ui.richtexteditor">    
     <Input placeholder="Enter Payload" 
         description="Try: &lt;img src=x onerror=alert(&quot;XSS&quot;)&gt;"
         value="{/input}" />  <!--User input source sap.m.Input.value -->
@@ -47,5 +47,13 @@
     <Input placeholder="Enter Payload" 
         description="Try: &lt;img src=x onerror=alert(&quot;XSS&quot;)&gt;" 
         value="{/input4}" />  <!--User input source sap.m.Input.value -->
-    <core:HTML id="htmUnsanitized" content="{/input4}" sanitizeContent="true"/> <!--XSS sink sap.ui.core.HTML.content -->
+    <core:HTML id="htmlUnsanitized" content="{/input4}" sanitizeContent="true"/> <!--XSS sink sap.ui.core.HTML.content -->
+
+    <Input placeholder="Enter Payload (will be sanitized with setSanitizeContent)" 
+        description="Try: &lt;img src=x onerror=alert(&quot;XSS&quot;)&gt;" 
+        value="{/input5}" />  <!--User input source sap.m.Input.value -->
+    <core:HTML id="htmlJsSanitized5" content="{/input5}"/> <!--sanitized XSS sink sap.ui.core.HTML.content -->
+
+    <rte:RichTextEditor value="{/input}"/> <!-- sanitized by default sink sap.ui.richtexteditor.RichTextEditor.value -->
+    <rte:RichTextEditor id="rteUnsanitized"  value="{/input6}"/> <!-- XSS unsinitized programmatically sap.ui.richtexteditor.RichTextEditor.value -->
 </mvc:View>