add HtmlSanitizer as a sanitizer for DOMBasedXss

Author: erik-krogh

javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll

@@ -287,6 +287,8 @@ module DomBasedXss {
 
   private class IsEscapedInSwitchSanitizer extends Sanitizer, Shared::IsEscapedInSwitchSanitizer { }
 
+  private class HtmlSanitizerAsSanitizer extends Sanitizer instanceof HtmlSanitizerCall { }
+
   /**
    * Holds if there exists two dataflow edges to `succ`, where one edges is sanitized, and the other edge starts with `pred`.
    */

javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected

@@ -157,10 +157,6 @@ nodes
 | xss-through-dom.js:140:19:140:21 | src |
 | xss-through-dom.js:141:25:141:27 | src |
 | xss-through-dom.js:141:25:141:27 | src |
-| xss-through-dom.js:148:25:148:65 | DOMPuri ... ) : src |
-| xss-through-dom.js:148:25:148:65 | DOMPuri ... ) : src |
-| xss-through-dom.js:148:37:148:59 | DOMPuri ... ze(src) |
-| xss-through-dom.js:148:56:148:58 | src |
 edges
 | forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
 | forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
@@ -261,12 +257,8 @@ edges
 | xss-through-dom.js:139:11:139:52 | src | xss-through-dom.js:140:19:140:21 | src |
 | xss-through-dom.js:139:11:139:52 | src | xss-through-dom.js:141:25:141:27 | src |
 | xss-through-dom.js:139:11:139:52 | src | xss-through-dom.js:141:25:141:27 | src |
-| xss-through-dom.js:139:11:139:52 | src | xss-through-dom.js:148:56:148:58 | src |
 | xss-through-dom.js:139:17:139:52 | documen ... k").src | xss-through-dom.js:139:11:139:52 | src |
 | xss-through-dom.js:139:17:139:52 | documen ... k").src | xss-through-dom.js:139:11:139:52 | src |
-| xss-through-dom.js:148:37:148:59 | DOMPuri ... ze(src) | xss-through-dom.js:148:25:148:65 | DOMPuri ... ) : src |
-| xss-through-dom.js:148:37:148:59 | DOMPuri ... ze(src) | xss-through-dom.js:148:25:148:65 | DOMPuri ... ) : src |
-| xss-through-dom.js:148:56:148:58 | src | xss-through-dom.js:148:37:148:59 | DOMPuri ... ze(src) |
 #select
 | forms.js:9:31:9:40 | values.foo | forms.js:8:23:8:28 | values | forms.js:9:31:9:40 | values.foo | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:8:23:8:28 | values | DOM text |
 | forms.js:12:31:12:40 | values.bar | forms.js:11:24:11:29 | values | forms.js:12:31:12:40 | values.bar | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:11:24:11:29 | values | DOM text |
@@ -310,4 +302,3 @@ edges
 | xss-through-dom.js:132:16:132:23 | linkText | xss-through-dom.js:130:42:130:62 | dSelect ... tring() | xss-through-dom.js:132:16:132:23 | linkText | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:130:42:130:62 | dSelect ... tring() | DOM text |
 | xss-through-dom.js:140:19:140:21 | src | xss-through-dom.js:139:17:139:52 | documen ... k").src | xss-through-dom.js:140:19:140:21 | src | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:139:17:139:52 | documen ... k").src | DOM text |
 | xss-through-dom.js:141:25:141:27 | src | xss-through-dom.js:139:17:139:52 | documen ... k").src | xss-through-dom.js:141:25:141:27 | src | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:139:17:139:52 | documen ... k").src | DOM text |
-| xss-through-dom.js:148:25:148:65 | DOMPuri ... ) : src | xss-through-dom.js:139:17:139:52 | documen ... k").src | xss-through-dom.js:148:25:148:65 | DOMPuri ... ) : src | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:139:17:139:52 | documen ... k").src | DOM text |

javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js

@@ -145,5 +145,5 @@ const cashDom = require("cash-dom");
             return src; // to model spuriously finding an edge. The below is still OK.
         }
     };
-    cashDom("#id").html(DOMPurify ? DOMPurify.sanitize(src) : src); // OK - but currently flagged [INCONSISTENCY]
+    cashDom("#id").html(DOMPurify ? DOMPurify.sanitize(src) : src); // OK
 })();