Skip to content

Fix MaD source for built-in XSS query#325

Merged
mbaluda merged 7 commits intomainfrom
mbaluda/df-clean
Mar 11, 2026
Merged

Fix MaD source for built-in XSS query#325
mbaluda merged 7 commits intomainfrom
mbaluda/df-clean

Conversation

@mbaluda
Copy link
Copy Markdown
Contributor

@mbaluda mbaluda commented Mar 11, 2026
edited
Loading

What This PR Contributes

This pull request removes from remote sources getContent return value of UI5HTMLControl, which affects the test output for XSS built-in query as well as duplicates some custom UI5 query alerts

@mbaluda mbaluda requested review from Copilot and knewbury01 March 11, 2026 17:52
@mbaluda mbaluda marked this pull request as ready for review March 11, 2026 17:52
Copilot AI reviewed Mar 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the UI5 CodeQL dataflow model to stop treating sap/ui/core/HTML (UI5HTMLControl) getContent() return values as a remote source, and adjusts the corresponding UI5 XSS test expectation to reflect the reduced/cleaned-up path output.

Changes:

  • Remove UI5HTMLControl.getContent().ReturnValue from the sourceModel “remote” sources list.
  • Update the UI5Xss expected output by dropping the now-eliminated self-sourced path entry involving unsanitized.getContent().

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
javascript/frameworks/ui5/ext/ui5.model.yml Removes UI5HTMLControl.getContent() return from remote sources in the UI5 source model.
javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/UI5Xss.expected Updates expected query output to match the revised source modeling.

@mbaluda mbaluda changed the title Mbaluda/df clean Fix MaD source for built-in XSS query Mar 11, 2026
@mbaluda mbaluda requested a review from data-douser March 11, 2026 18:10
@mbaluda mbaluda enabled auto-merge (squash) March 11, 2026 18:56
knewbury01
knewbury01 approved these changes Mar 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@knewbury01 knewbury01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good to me!

@mbaluda mbaluda merged commit 79fe955 into main Mar 11, 2026
19 checks passed
@mbaluda mbaluda deleted the mbaluda/df-clean branch March 11, 2026 20:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@knewbury01 knewbury01 knewbury01 approved these changes

@data-douser data-douser Awaiting requested review from data-douser

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mbaluda @knewbury01 @data-douser