Added XSS sink for innerHTML/outerHTML using new Angular attribute def

Author: aegilops

javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll

@@ -251,25 +251,19 @@ module DomBasedXss {
     }
   }
 
-  // /**
-  //  * A write to the `innerHTML` property of a DOM element, viewed as an XSS sink.
-  //  *
-  //  * Uses the Angular Renderer2 API, instead of the default `Element.innerHTML` property.
-  //  */
-  // class AngularRender2SetPropertyInnerHtmlSink extends Sink {
-  //   AngularRender2SetPropertyInnerHtmlSink() {
-  //     exists(API::CallNode setProperty |
-  //       setProperty =
-  //         API::moduleImport("@angular/core")
-  //             .getMember("Renderer2")
-  //             .getInstance()
-  //             .getMember("setProperty")
-  //             .getACall() and
-  //       this = setProperty.getParameter(2).asSink() and
-  //       setProperty.getArgument(1).getStringValue() = "innerHTML"
-  //     )
-  //   }
-  // }
+  /**
+   * A write to the `innerHTML` or `outerHTML` property of a DOM element, viewed as an XSS sink.
+   *
+   * Uses the Angular Renderer2 API, instead of the default `Element.innerHTML` property.
+   */
+  class AngularRender2SetPropertyInnerHtmlSink2 extends Sink {
+    AngularRender2SetPropertyInnerHtmlSink2() {
+      exists(Angular2::AngularRenderer2AttributeDefinition attrDef |
+        attrDef.getName() = ["innerHTML", "outerHTML"] and
+        this = attrDef.getValueNode()
+      )
+    }
+  }
 
   /**
    * A value being piped into the `safe` pipe in a template file,