JS: Now BadHtmlSanitizers also flags new RegExp as potential issue

Author: Napalys

javascript/ql/lib/semmle/javascript/security/IncompleteBlacklistSanitizer.qll

@@ -74,7 +74,7 @@ private StringReplaceCall getAStringReplaceMethodCall(StringReplaceCall n) {
 module HtmlSanitization {
   private predicate fixedGlobalReplacement(StringReplaceCallSequence chain) {
     forall(StringReplaceCall member | member = chain.getAMember() |
-      member.isGlobal() and member.getArgument(0) instanceof DataFlow::RegExpLiteralNode
+      member.isGlobal() and member.getArgument(0) instanceof DataFlow::RegExpCreationNode
     )
   }
 

javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteBlacklistSanitizer.expected

@@ -65,3 +65,6 @@
 | tst.js:305:10:305:34 | s().rep ... ]/g,'') | This HTML sanitizer does not sanitize double quotes |
 | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | This HTML sanitizer does not sanitize single quotes |
 | tst.js:320:9:329:3 | s().rep ... ;";\\n\\t}) | This HTML sanitizer does not sanitize single quotes |
+| tst.js:333:2:333:40 | s().rep ... g"),'') | This HTML sanitizer does not sanitize ampersands |
+| tst.js:333:2:333:40 | s().rep ... g"),'') | This HTML sanitizer does not sanitize double quotes |
+| tst.js:333:2:333:40 | s().rep ... g"),'') | This HTML sanitizer does not sanitize single quotes |

javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js

@@ -330,5 +330,5 @@ function incompleteComplexSanitizers() {
 }
 
 function typicalBadHtmlSanitizers(s) {
-	s().replace(new RegExp("[<>]", "g"),''); // NOT OK -- should be not okay, but is not flagged
+	s().replace(new RegExp("[<>]", "g"),''); // NOT OK
 }