Add examples of sap.ui.getCore() and this.getOwnerComponent()

Author: jeongsoolee09

javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/Component.js

@@ -0,0 +1,12 @@
+sap.ui.define([
+  "sap/ui/core/UIComponent"
+], function(UIComponent) {
+  "use strict";
+  return UIComponent.extend("codeql-sap-js.Component", {
+    metadata: {
+      manifest: "json"
+    },
+
+    init: function() { }
+  })
+})

javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js

@@ -0,0 +1,35 @@
+sap.ui.define([
+  "sap/ui/core/mvc/Controller",
+  "sap/ui/model/json/JSONModel",
+  "sap/ui/core/EventBus"
+], function(Controller, JSONModel, EventBus) {
+  "use strict";
+  return Controller.extend("codeql-sap-js.controller.App1", {
+    /*
+     * 1. XSS.controller's method `doSomething1`: publish event "xss" with data pulled in
+     * 2. XSS.controller's method `onInit`: subscribe to event "xss" with handler `doSomething2`
+     * 3. XSS.controller's method `doSomething2`: set HTML's content
+     */
+    onInit: function() {
+      let oData = {
+        input: null,
+        output1: null
+      };
+      let oModel = new JSONModel(oData);
+      this.getView().setModel(oModel);
+      this.bus = EventBus.getInstance();
+      this.bus.subscribe("xssChannel", "xss", this.doSomething2, this);
+    },
+
+    doSomething1() {
+      let oInput = this.getView().byId("input");
+      let value = oInput.getValue();
+      this.bus.publish("xssChannel", "xss", { message: value });
+    },
+
+    doSomething2(channel, event, model) {
+      let oHtmlOutput = this.getView().byId("htmlOutput");
+      oHtmlOutput.setContent(model.message);
+    }
+  });
+});

javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js

@@ -0,0 +1,35 @@
+sap.ui.define([
+  "sap/ui/core/mvc/Controller",
+  "sap/ui/model/json/JSONModel",
+  "sap/ui/core/EventBus"
+], function(Controller, JSONModel, EventBus) {
+  "use strict";
+  return Controller.extend("codeql-sap-js.controller.App2", {
+    /*
+     * 1. XSS.controller's method `doSomething1`: publish event "xss" with data pulled in
+     * 2. XSS.controller's method `onInit`: subscribe to event "xss" with handler `doSomething2`
+     * 3. XSS.controller's method `doSomething2`: set HTML's content
+     */
+    onInit: function() {
+      let oData = {
+        input: null,
+        output1: null
+      };
+      let oModel = new JSONModel(oData);
+      this.getView().setModel(oModel);
+      this.bus = sap.ui.getCore().getEventBus();
+      this.bus.subscribe("xssChannel", "xss", this.doSomething2, this);
+    },
+
+    doSomething1() {
+      let oInput = this.getView().byId("input");
+      let value = oInput.getValue();
+      this.bus.publish("xssChannel", "xss", { message: value });
+    },
+
+    doSomething2(channel, event, model) {
+      let oHtmlOutput = this.getView().byId("htmlOutput");
+      oHtmlOutput.setContent(model.message);
+    }
+  });
+});

javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App3.controller.js

@@ -0,0 +1,29 @@
+sap.ui.define([
+  "sap/ui/core/mvc/Controller",
+  "sap/ui/model/json/JSONModel",
+  "sap/ui/core/EventBus"
+], function(Controller, JSONModel, EventBus) {
+  "use strict";
+  return Controller.extend("codeql-sap-js.controller.App3", {
+    /*
+     * 1. XSS.controller's method `doSomething1`: publish event "xss" with data pulled in
+     * 2. XSS.controller's method `onInit`: subscribe to event "xss" with handler `doSomething2`
+     * 3. XSS.controller's method `doSomething2`: set HTML's content
+     */
+    onInit: function() {
+      let oData = {
+        input: null,
+        output1: null
+      };
+      let oModel = new JSONModel(oData);
+      this.getView().setModel(oModel);
+      this.bus = this.getOwnerComponent().getEventBus();
+    },
+
+    doSomething1() {
+      let oInput = this.getView().byId("input");
+      let value = oInput.getValue();
+      this.bus.publish("xssChannel", "xss", { message: value });
+    }
+  });
+});

javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App4.controller.js

@@ -0,0 +1,29 @@
+sap.ui.define([
+  "sap/ui/core/mvc/Controller",
+  "sap/ui/model/json/JSONModel",
+  "sap/ui/core/EventBus"
+], function(Controller, JSONModel, EventBus) {
+  "use strict";
+  return Controller.extend("codeql-sap-js.controller.App4", {
+    /*
+     * 1. XSS.controller's method `doSomething1`: publish event "xss" with data pulled in
+     * 2. XSS.controller's method `onInit`: subscribe to event "xss" with handler `doSomething2`
+     * 3. XSS.controller's method `doSomething2`: set HTML's content
+     */
+    onInit: function() {
+      let oData = {
+        input: null,
+        output1: null
+      };
+      let oModel = new JSONModel(oData);
+      this.getView().setModel(oModel);
+      this.bus = this.getOwnerComponent().getEventBus();
+      this.bus.subscribe("xssChannel", "xss", this.doSomething2, this);
+    },
+
+    doSomething2(channel, event, model) {
+      let oHtmlOutput = this.getView().byId("htmlOutput");
+      oHtmlOutput.setContent(model.message);
+    }
+  });
+});

javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/app.controller.js

@@ -1,35 +1,8 @@
 sap.ui.define([
   "sap/ui/core/mvc/Controller",
-  "sap/ui/model/json/JSONModel",
-  "sap/ui/core/EventBus"
-], function(Controller, JSONModel, EventBus) {
+], function(Controller) {
   "use strict";
-  return Controller.extend("codeql-sap-js.controller.app", {
-    /*
-     * 1. XSS.controller's method `doSomething1`: publish event "xss" with data pulled in
-     * 2. XSS.controller's method `onInit`: subscribe to event "xss" with handler `doSomething2`
-     * 3. XSS.controller's method `doSomething2`: set HTML's content
-     */
-    onInit: function() {
-      let oData = {
-        input: null,
-        output1: null
-      };
-      let oModel = new JSONModel(oData);
-      this.getView().setModel(oModel);
-      this.bus = EventBus.getInstance();
-      this.bus.subscribe("xssChannel", "xss", this.doSomething2, this);
-    },
-
-    doSomething1() {
-      let oInput = this.getView().byId("input");
-      let value = oInput.getValue();
-      this.bus.publish("xssChannel", "xss", { message: value });
-    },
-
-    doSomething2(channel, event, model) {
-      let oHtmlOutput = this.getView().byId("htmlOutput");
-      oHtmlOutput.setContent(model.message);
-    }
+  return Controller.extend("codeql-sap-js.controller.App", {
+    onInit: function() { }
   });
 });

javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/manifest.json

@@ -1,5 +1,94 @@
 {
-    "sap.app": {
-        "id": "sap-ui5-xss"
+  "_version": "0.0.1",
+  "sap.app": {
+    "id": "codeql-sap-js",
+    "type": "application",
+    "applicationVersion": {
+      "version": "0.0.1"
+    },
+    "title": "{{appTitle}}",
+    "description": "{{appDescription}}",
+    "dataSources": {
+      "someDataSource": {
+        "uri": "some/path/to/dataSource",
+        "type": "OData",
+        "settings": {
+          "odataVersion": "2.0"
+        }
+      }
     }
-}
+  },
+  "sap.ui": {
+    "technology": "UI5"
+  },
+  "sap.ui5": {
+    "rootView": "codeql-sap-js.controller.App",
+    "dependencies": {
+      "minUI5Version": "1.30",
+      "libs": {
+        "sap.m": {},
+        "sap.ui.layout": {}
+      }
+    },
+
+    "models": {
+      "someRemoteModel": {
+        "dataSource": "someDataSource",
+        "settings": {
+          "defaultBindingMode": "TwoWay"
+        }
+      }
+    },
+    "config": {
+      "someDataSource": "some/path/to/dataSource"
+    },
+    "routing": {
+      "config": {
+        "routerClass": "sap.m.routing.Router",
+        "viewType": "XML",
+        "async": true,
+        "viewPath": "codeql-sap-js.view"
+      },
+      "routes": [
+        {
+          "pattern": "somePattern1",
+          "name": "someName1",
+          "target": "someTarget1"
+        },
+        {
+          "pattern": "somePattern2",
+          "name": "someName2",
+          "target": "someTarget2"
+        },
+        {
+          "pattern": "somePattern3",
+          "name": "someName3",
+          "target": "someTarget3"
+        },
+        {
+          "pattern": "somePattern4",
+          "name": "someName4",
+          "target": "someTarget4"
+        }
+      ],
+      "targets": {
+        "someTarget1": {
+          "viewName": "App1",
+          "viewLevel": 1
+        },
+        "someTarget2": {
+          "viewName": "App2",
+          "viewLevel": 1
+        },
+        "someTarget3": {
+          "viewName": "App3",
+          "viewLevel": 1
+        },
+        "someTarget4": {
+          "viewName": "App4",
+          "viewLevel": 1
+        }
+      }
+    }
+  }
+}

javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/view/App1.view.xml

@@ -0,0 +1,13 @@
+<mvc:View controllerName="codeql-sap-js.controller.App1"
+          xmlns="sap.m"
+          xmlns:core="sap.ui.core"
+          xmlns:mvc="sap.ui.core.mvc">
+  <Input id="input"
+         placeholder="Enter Payload"
+         description="Try: &lt;img src=x onerror=alert(&quot;XSS&quot;)&gt; and press a button"
+         value="{/input}" />  <!--User input source sap.m.Input.value -->
+  <Button text="Press me for XSS"
+          press=".doSomething1" />
+  <core:HTML id="htmlOutput"
+             content="{/output1}" /> <!--XSS sink sap.ui.core.HTML.content -->
+</mvc:View>

javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/view/App2.view.xml

@@ -0,0 +1,13 @@
+<mvc:View controllerName="codeql-sap-js.controller.App2"
+          xmlns="sap.m"
+          xmlns:core="sap.ui.core"
+          xmlns:mvc="sap.ui.core.mvc">
+  <Input id="input"
+         placeholder="Enter Payload"
+         description="Try: &lt;img src=x onerror=alert(&quot;XSS&quot;)&gt; and press a button"
+         value="{/input}" />  <!--User input source sap.m.Input.value -->
+  <Button text="Press me for XSS"
+          press=".doSomething1" />
+  <core:HTML id="htmlOutput"
+             content="{/output1}" /> <!--XSS sink sap.ui.core.HTML.content -->
+</mvc:View>

javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/view/App3.view.xml

@@ -0,0 +1,11 @@
+<mvc:View controllerName="codeql-sap-js.controller.App3"
+          xmlns="sap.m"
+          xmlns:core="sap.ui.core"
+          xmlns:mvc="sap.ui.core.mvc">
+  <Input id="input"
+         placeholder="Enter Payload"
+         description="Try: &lt;img src=x onerror=alert(&quot;XSS&quot;)&gt; and press a button"
+         value="{/input}" />  <!--User input source sap.m.Input.value -->
+  <Button text="Press me for XSS"
+          press=".doSomething1" />
+</mvc:View>