Add test cases for @tanstack/angular-query-experimental injectQuery

Napalys · Napalys · commit 184d23df4632 · 2025-03-12T11:54:53.000+01:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.expected
@@ -92,3 +92,7 @@ nodes
 | testReactRelay.tsx:136:16:136:39 | readFra ... y, key) | semmle.label | readFra ... y, key) |
 | testReactRelay.tsx:137:50:137:53 | data | semmle.label | data |
 subpaths
+testFailures
+| test.ts:8:82:8:92 | // $ Source | Missing result: Source |
+| test.ts:21:79:21:88 | // $ Alert | Missing result: Alert |
+| test.ts:24:94:24:103 | // $ Alert | Missing result: Alert |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/test.ts b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/test.ts
@@ -0,0 +1,37 @@
+import { QueryClient, injectQuery } from '@tanstack/angular-query-experimental'
+import { HttpClient } from '@angular/common/http'   
+
+class ServiceOrComponent {
+    query = injectQuery(() => ({
+      queryKey: ['repoData'],
+      queryFn: () =>
+        this.#http.get<Response>('https://api.github.com/repos/tanstack/query'), // $ Source
+    }))
+
+    #http: {
+      get: <T>(url: string) => Promise<T>
+    };
+
+    constructor(http: HttpClient) {
+      this.#http = http;
+    }
+    
+    displayRepoDetails() {
+      this.query.data.then(response => {
+        document.getElementById('repoInfo').innerHTML = response.description; // $ Alert
+        
+        const detailsElement = document.createElement('div');
+        detailsElement.innerHTML = `<h2>${response.name}</h2><p>${response.owner.bio}</p>`;  // $ Alert
+        document.body.appendChild(detailsElement);
+      });
+    }
+}
+
+interface Response {
+  name: string;
+  description: string;
+  stargazers_count: number;
+  owner: {
+    bio: string;
+  }
+}
