Source in Control metedata

Author: mbaluda

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/UI5DataFlow.qll

@@ -61,6 +61,19 @@ class LocalModelContentBoundBidirectionallyToHtmlISinkControl extends DomBasedXs
   UI5Control getControlDeclaration() { result = controlDeclaration }
 }
 
+class LocalModelStringPropertySource extends DomBasedXss::Source {
+  LocalModelStringPropertySource() {
+    exists(UI5BindingPath bindingPath |
+      this =
+        bindingPath
+            .getControlDeclaration()
+            .getDefinition()
+            .getMetadata()
+            .getProperty(bindingPath.getPropertyName())
+    )
+  }
+}
+
 module UI5PathGraph<PathNodeSig ConfigPathNode, PathGraphSig<ConfigPathNode> ConfigPathGraph> {
   private newtype TNode =
     TUI5BindingPathNode(UI5BindingPath path) or

javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js

@@ -1,10 +1,11 @@
 sap.ui.define([
-    "sap/ui/core/Control"
-], function (Control) {
+    "sap/ui/core/Control", 'sap/base/security/encodeXML'
+], function (Control, EncodeXML) {
     return Control.extend("codeql-sap-js.control.xss", {
         metadata: {
             properties: {
-                text: { type: "string" }
+                text: { type: "string" },
+                text2: { type: "string" }
             }
         },
         renderer: {
@@ -13,6 +14,13 @@ sap.ui.define([
                 oRm.openStart("div", oControl);
                 oRm.unsafeHtml(oControl.getText()); // XSS sink RenderManager.unsafeHtml
                 oRm.close("div");
+
+                oRm.write(`
+                    <div>
+                        <div>${oControl.getText2()}</div>
+                        <div>${EncodeXML(oControl.getText2())}</div>
+                    </div>
+                    `.trim());
             }
         }
     });