Merge pull request github#12166 from erik-krogh/more-html-san

JS: add `HtmlSanitizer` as a sanitizer DOMBasedXss

Author: erik-krogh

javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll

@@ -287,6 +287,8 @@ module DomBasedXss {
 
   private class IsEscapedInSwitchSanitizer extends Sanitizer, Shared::IsEscapedInSwitchSanitizer { }
 
+  private class HtmlSanitizerAsSanitizer extends Sanitizer instanceof HtmlSanitizerCall { }
+
   /**
    * Holds if there exists two dataflow edges to `succ`, where one edges is sanitized, and the other edge starts with `pred`.
    */

javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js

@@ -139,4 +139,11 @@ const cashDom = require("cash-dom");
     const src = document.getElementById("#link").src;
 	cash("#id").html(src); // NOT OK.
     cashDom("#id").html(src); // NOT OK
+
+    var DOMPurify = {
+        sanitize: function (src) {
+            return src; // to model spuriously finding an edge. The below is still OK.
+        }
+    };
+    cashDom("#id").html(DOMPurify ? DOMPurify.sanitize(src) : src); // OK
 })();