Added a test for tanstack/react-query useQuery

Author: Napalys

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.expected

@@ -0,0 +1,4 @@
+#select
+edges
+nodes
+subpaths

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.ext.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["response", true, 0]

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.qlref

@@ -0,0 +1,2 @@
+query: Security/CWE-079/Xss.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/test.jsx

@@ -0,0 +1,32 @@
+import React from "react";
+import { useQuery } from "@tanstack/react-query";
+
+const fetchContent = async () => {
+    const response = await fetch("https://example.com/content"); // $ MISSING: Source[js/xss]
+    const data = await response.json();
+    return data;
+};
+
+const ContentWithDangerousHtml = () => {
+    const { data, error, isLoading } = useQuery(
+        {
+            queryFn: fetchContent
+        }   
+    );
+
+    if (isLoading) return <div>Loading...</div>;
+    if (error) return <div>Error fetching content!</div>;
+
+    return (
+        <div>
+            <h1>Content with Dangerous HTML</h1>
+            <div
+                dangerouslySetInnerHTML={{
+                    __html: data, // $ MISSING: Alert[js/xss]
+                }}
+            />
+        </div>
+    );
+};
+
+export default ContentWithDangerousHtml;