jorgectf
diff --git a/‎swift/ql/lib/codeql/swift/frameworks/StandardLibrary/WebView.qll
Lines changed: 26 additions & 0 deletions b/‎swift/ql/lib/codeql/swift/frameworks/StandardLibrary/WebView.qll
Lines changed: 26 additions & 0 deletions
diff --git a/‎swift/ql/src/queries/Security/CWE-094/UnsafeJsEval.ql
Lines changed: 0 additions & 11 deletions b/‎swift/ql/src/queries/Security/CWE-094/UnsafeJsEval.ql
Lines changed: 0 additions & 11 deletions
diff --git a/‎swift/ql/test/library-tests/dataflow/taint/LocalTaint.expected
Lines changed: 4 additions & 1 deletion b/‎swift/ql/test/library-tests/dataflow/taint/LocalTaint.expected
Lines changed: 4 additions & 1 deletion
@@ -131,3 +131,29 @@ private class JsExportedSource extends RemoteFlowSource {
 
   override string getSourceType() { result = "Member of a type exposed through JSExport" }
 }
+
+/**
+ * A model for `WKUserScript` summaries.
+ */
+private class WKUserScriptSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        ";WKUserScript;true;init(source:injectionTime:forMainFrameOnly:);;;Argument[0];ReturnValue;taint",
+        ";WKUserScript;true;init(source:injectionTime:forMainFrameOnly:in:);;;Argument[0];ReturnValue;taint"
+      ]
+  }
+}
+
+/**
+ * A content implying that, if a `WKUserScript` is tainted, its `source` field is tainted.
+ */
+private class WKUserScriptInheritsTaint extends TaintInheritingContent,
+  DataFlow::Content::FieldContent {
+  WKUserScriptInheritsTaint() {
+    exists(FieldDecl f | this.getField() = f |
+      f.getEnclosingDecl().(ClassOrStructDecl).getName() = "WKUserScript" and
+      f.getName() = "source"
+    )
+  }
+}
@@ -96,17 +96,6 @@ class UnsafeJsEvalConfig extends TaintTracking::Configuration {
   // TODO: convert to new taint flow models
   override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     exists(Argument arg |
-      arg =
-        any(CallExpr ce |
-          ce.getStaticTarget()
-              .(MethodDecl)
-              .hasQualifiedName("WKUserScript",
-                [
-                  "init(source:injectionTime:forMainFrameOnly:)",
-                  "init(source:injectionTime:forMainFrameOnly:in:)"
-                ])
-        ).getArgument(0)
-      or
       arg =
         any(CallExpr ce |
           ce.getStaticTarget().(MethodDecl).hasQualifiedName("String", "init(decoding:as:)")
 
@@ -165,4 +165,7 @@
 | url.swift:100:12:100:54 | ...! | url.swift:100:12:100:56 | .standardizedFileURL |
 | url.swift:101:15:101:57 | ...! | url.swift:101:15:101:59 | .user |
 | url.swift:102:15:102:57 | ...! | url.swift:102:15:102:59 | .password |
-| webview.swift:52:11:52:18 | call to source() | webview.swift:52:10:52:41 | .body |
+| webview.swift:77:11:77:18 | call to source() | webview.swift:77:10:77:41 | .body |
+| webview.swift:130:10:130:10 | a | webview.swift:130:10:130:12 | .source |
+| webview.swift:134:10:134:10 | b | webview.swift:134:10:134:12 | .source |
+| webview.swift:139:10:139:10 | c | webview.swift:139:10:139:12 | .source |