New XSS sink - writing to innerHTML using the Angular Renderer2 API

Author: aegilops

javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll

@@ -251,6 +251,26 @@ module DomBasedXss {
     }
   }
 
+  /**
+   * A write to the `innerHTML` property of a DOM element, viewed as an XSS sink.
+   * 
+   * Uses the Angular Renderer2 API, instead of the default `Element.innerHTML` property.
+   */
+  class AngularRender2SetPropertyInnerHtmlSink extends Sink {
+    AngularRender2SetPropertyInnerHtmlSink() {
+      exists(API::CallNode setProperty |
+        setProperty =
+          API::moduleImport("@angular/core")
+              .getMember("Renderer2")
+              .getInstance()
+              .getMember("setProperty")
+              .getACall() and
+        this = setProperty.getParameter(2).asSink() and
+        setProperty.getParameter(1).asSink().asExpr().(StringLiteral).getValue() = "innerHTML"
+      )
+    }
+  }
+
   /**
    * A value being piped into the `safe` pipe in a template file,
    * disabling subsequent HTML escaping.