fix review comments

mbaluda · mbaluda · commit 21a91b4dc376 · 2026-03-11T11:59:28.000+01:00
diff --git a/javascript/frameworks/ui5/ext/ui5.model.yml b/javascript/frameworks/ui5/ext/ui5.model.yml
@@ -115,6 +115,7 @@ extensions:
     data:
       - ["UI5InputControl", "Member[value]", "remote"]
       - ["UI5InputControl", "Member[getValue].ReturnValue", "remote"]
+      - ["UI5HTMLControl", "Member[getContent].ReturnValue", "remote"]
       - ["UI5CodeEditor", "Member[value]", "remote"]
       - ["UI5CodeEditor", "Member[getCurrentValue].ReturnValue", "remote"]
       - ["global", "Member[jQuery].Member[sap].Member[syncHead,syncGet,syncGetText,syncPost,syncPostText].ReturnValue", "remote"]
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5Control.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5Control.qll
@@ -223,6 +223,24 @@ class UI5Control extends TUI5Control {
   }
 }
 
+class XmlControlProperty extends XmlAttribute {
+  XmlControlProperty() { exists(UI5Control control | this.getElement() = control.asXmlControl()) }
+}
+
+bindingset[qualifiedTypeUri]
+predicate isBuiltInControl(string qualifiedTypeUri) {
+  exists(string namespace |
+    namespace =
+      [
+        "sap\\.m.*", // https://sapui5.hana.ondemand.com/#/api/sap.m: The main UI5 control library, with responsive controls that can be used in touch devices as well as desktop browsers.
+        "sap\\.f.*", // https://sapui5.hana.ondemand.com/#/api/sap.f: SAPUI5 library with controls specialized for SAP Fiori apps.
+        "sap\\.ui.*" // https://sapui5.hana.ondemand.com/#/api/sap.ui: The sap.ui namespace is the central OpenAjax compliant entry point for UI related JavaScript functionality provided by SAP.
+      ]
+  |
+    qualifiedTypeUri.regexpMatch(namespace)
+  )
+}
+
 private newtype TUI5ControlProperty =
   TXmlControlProperty(XmlAttribute property) or
   TJsonControlProperty(JsonValue property) or
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll
@@ -225,24 +225,6 @@ private UI5ExternalModel getExternalModelNode(UI5BindingPath bindingPath) {
   inSameWebApp(bindingPath.getLocation().getFile(), result.getFile())
 }
 
-class XmlControlProperty extends XmlAttribute {
-  XmlControlProperty() { exists(UI5Control control | this.getElement() = control.asXmlControl()) }
-}
-
-bindingset[qualifiedTypeUri]
-predicate isBuiltInControl(string qualifiedTypeUri) {
-  exists(string namespace |
-    namespace =
-      [
-        "sap\\.m.*", // https://sapui5.hana.ondemand.com/#/api/sap.m: The main UI5 control library, with responsive controls that can be used in touch devices as well as desktop browsers.
-        "sap\\.f.*", // https://sapui5.hana.ondemand.com/#/api/sap.f: SAPUI5 library with controls specialized for SAP Fiori apps.
-        "sap\\.ui.*" // https://sapui5.hana.ondemand.com/#/api/sap.ui: The sap.ui namespace is the central OpenAjax compliant entry point for UI related JavaScript functionality provided by SAP.
-      ]
-  |
-    qualifiedTypeUri.regexpMatch(namespace)
-  )
-}
-
 /**
  * A UI5 View that might include XSS sources and sinks in standard controls.
  */
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/UI5Xss.expected
@@ -18,4 +18,5 @@ edges
 #select
 | webapp/controller/app.controller.js:16:35:16:62 | oModel. ... input') | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:16:35:16:62 | oModel. ... input') | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |
 | webapp/controller/app.controller.js:19:36:19:63 | oModel. ... input') | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:19:36:19:63 | oModel. ... input') | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |
+| webapp/controller/app.controller.js:20:35:20:58 | unsanit ... ntent() | webapp/controller/app.controller.js:20:35:20:58 | unsanit ... ntent() | webapp/controller/app.controller.js:20:35:20:58 | unsanit ... ntent() | XSS vulnerability due to $@. | webapp/controller/app.controller.js:20:35:20:58 | unsanit ... ntent() | user-provided value |
 | webapp/controller/app.controller.js:20:35:20:58 | unsanit ... ntent() | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:20:35:20:58 | unsanit ... ntent() | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |
