JS: Fix alert location and use RelatedLocation in InsecureUrlWhitelist

Author: asgerf

javascript/ql/test/query-tests/AngularJS/InsecureUrlWhitelist/tst.js

@@ -1,11 +1,11 @@
 angular.module('myApp', [])
     .config(function($sceDelegateProvider) {
         $sceDelegateProvider.resourceUrlWhitelist([
-            "**://example.com/*", // $ Alert - (exploit: http://evil.com/?ignore=://example.org/a or javascript:alert(1);://example.org/a)
-            "*://example.org/*", // $ Alert - (exploit: javascript://example.org/a%0A%0Dalert(1) using a linebreak to end the comment starting with "//"!)
-            "https://**.example.com/*", // $ Alert - exploit: https://evil.com/?ignore=://example.com/a
-            "https://example.**", // $ Alert - exploit: https://example.evil.com or http://example.:[email protected]
-            "https://example.*", // $ Alert - exploit: https://example.UnexpectedTLD
+            "**://example.com/*", // $ RelatedLocation - (exploit: http://evil.com/?ignore=://example.org/a or javascript:alert(1);://example.org/a)
+            "*://example.org/*", // $ RelatedLocation - (exploit: javascript://example.org/a%0A%0Dalert(1) using a linebreak to end the comment starting with "//"!)
+            "https://**.example.com/*", // $ RelatedLocation - exploit: https://evil.com/?ignore=://example.com/a
+            "https://example.**", // $ RelatedLocation - exploit: https://example.evil.com or http://example.:[email protected]
+            "https://example.*", // $ RelatedLocation - exploit: https://example.UnexpectedTLD
 
             "https://example.com",
             "https://example.com/**",
@@ -19,6 +19,6 @@ angular.module('myApp', [])
             "https://*.example.com",
 
             // not flagged:
-            /http:\/\/www.example.org/g // $ Alert - (exploit http://wwwaexample.org (dots are not escaped))
-        ]);
+            /http:\/\/www.example.org/g // $ MISSING: RelatedLocation - (exploit http://wwwaexample.org (dots are not escaped))
+        ]); // $ Alert
     });