recognize DOMPurify.sanitize as a HTML sanitizer

Author: erik-krogh

javascript/ql/src/semmle/javascript/HtmlSanitizers.qll

@@ -48,6 +48,11 @@ private class DefaultHtmlSanitizerCall extends HtmlSanitizerCall {
       or
       callee = LodashUnderscore::member("escape")
       or
+      exists(DataFlow::PropRead read | read = callee |
+        read.getPropertyName() = "sanitize" and
+        read.getBase().asExpr().(VarAccess).getName() = "DOMPurify"
+      )
+      or
       exists(string name | name = "encode" or name = "encodeNonUTF" |
         callee =
           DataFlow::moduleMember("html-entities", _).getAnInstantiation().getAPropertyRead(name) or