require that the MetacharEscapeSanitizer is a global replace call

Author: erik-krogh

javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll

@@ -28,14 +28,15 @@ module Shared {
   abstract class SanitizerGuard extends TaintTracking::SanitizerGuardNode { }
 
   /**
-   * A regexp replacement involving an HTML meta-character, viewed as a sanitizer for
+   * A global regexp replacement involving an HTML meta-character, viewed as a sanitizer for
    * XSS vulnerabilities.
    *
    * The XSS queries do not attempt to reason about correctness or completeness of sanitizers,
    * so any such replacement stops taint propagation.
    */
   class MetacharEscapeSanitizer extends Sanitizer, StringReplaceCall {
     MetacharEscapeSanitizer() {
+      this.isGlobal() and
       exists(RegExpConstant c |
         c.getLiteral() = getRegExp().asExpr() and
         c.getValue().regexpMatch("['\"&<>]")