Ensure sanitizeContent attribute is respected

Author: mbaluda

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll

@@ -649,14 +649,11 @@ class XmlView extends UI5View instanceof XmlFile {
       ApiGraphModelsExtensions::sinkModel(getASuperType(type), path, "ui5-html-injection", _) and
       property = path.replaceAll(" ", "").regexpCapture("Member\\[([^\\]]+)\\]", 1) and
       result.getBindingTarget() = control.getAttribute(property) and
-      /* If the control is an `sap.ui.core.HTML` then the control should be missing the `sanitizeContent` attribute */
-      (
-        getASuperType(type) = "HTMLControl"
-        implies
-        (
-          not exists(control.getAttribute("sanitizeContent")) or
-          control.getAttribute("sanitizeContent").getValue() = "false"
-        )
+      not (
+        getASuperType(type) = "UI5HTMLControl" and
+        // `sap.ui.core.HTML` controls are not sinks if the `sanitizeContent` attribute set to true
+        control.getAttribute("sanitizeContent").getValue() = "true"
+        // TODO: unless progeammatically set ot false
       )
     )
   }

javascript/frameworks/ui5/test/README.md

@@ -42,6 +42,10 @@ User input flows to XSS sinks via event handlers in 4 different ways:
 
 ### [xss-html-control](queries/UI5Xss/xss-html-control)
 - `sap.ui.core.HTML` Control
+  
+### [xss-html-control sanitized](queries/UI5Xss/xss-html-control sanitized)
+- `sap.ui.core.HTML` Control
+- sanitization using the `sanitizeContent` property set to true
 
 ### [xss-html-control-df](queries/UI5Xss/xss-html-control-df)
 - `sap.ui.core.HTML` Control
@@ -57,7 +61,7 @@ User input flows to XSS sinks via event handlers in 4 different ways:
 
 ### [xss-html-view](queries/UI5Xss/xss-html-view)
 - `sap.ui.core.mvc.HTMLView` View
-- 
+
 ### [xss-indirect-control](queries/UI5Xss/xss-indirect-control)
 - control accessed indirectly
 

javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control sanitized/UI5Xss.expected

@@ -0,0 +1 @@
+UI5Xss/UI5Xss.ql

javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control sanitized/UI5Xss.qlref

@@ -0,0 +1,5 @@
+{
+  "name": "sap-ui5-xss",
+  "version": "1.0.0",
+  "main": "index.js"
+}

javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control sanitized/package-lock.json

@@ -0,0 +1,7 @@
+specVersion: '3.0'
+metadata:
+  name: sap-ui5-xss
+type: application
+framework:
+  name: SAPUI5
+  version: "1.115.0"

javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control sanitized/package.json

@@ -0,0 +1,15 @@
+sap.ui.define([
+    "sap/ui/core/mvc/Controller",
+    "sap/ui/model/json/JSONModel"
+], function (Controller, JSONModel) {
+    "use strict"
+    return Controller.extend("codeql-sap-js.controller.app", {
+        onInit: function () {
+            var oData = {
+                input: null
+            };
+            var oModel = new JSONModel(oData);
+            this.getView().setModel(oModel);
+        }
+    });
+})

javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control sanitized/ui5.yaml

@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+
+    <meta charset="utf-8">
+    <title>SAPUI5 XSS</title>
+    <script src="https://sdk.openui5.org/resources/sap-ui-core.js" 
+        data-sap-ui-libs="sap.m"
+        data-sap-ui-onInit="module:codeql-sap-js/index" 
+        data-sap-ui-resourceroots='{
+            "codeql-sap-js": "./"
+        }'>
+        </script>
+</head>
+
+<body class="sapUiBody" id="content">
+
+</body>
+
+</html>

javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control sanitized/webapp/controller/app.controller.js

@@ -0,0 +1,11 @@
+sap.ui.define([
+    "sap/ui/core/mvc/XMLView"
+], function (XMLView) {
+    "use strict";
+    XMLView.create({
+        viewName: "codeql-sap-js.view.app"
+    }).then(function (oView) {
+        oView.placeAt("content");
+    });
+
+});