Add support for XSS sanitizer lib

Author: mbaluda

javascript/frameworks/xsjs/ext/xsjs.model.yml

@@ -68,4 +68,5 @@ extensions:
       pack: codeql/javascript-all
       extensible: summaryModel
     data:
-      - [global, "Member[JSON].Member[parse]", "Argument[0]", "ReturnValue", taint]
+      - [global, "Member[JSON].Member[parse]", "Argument[0]", "ReturnValue", taint]
+      - ["@sap/xss-secure", "Member[encodeCSS,encodeHTML,encodeJS,encodeURL,encodeXML]", "Argument[0]", "ReturnValue", "taint"]

javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSReflectedXssQuery.qll

@@ -35,4 +35,14 @@ class Configuration extends TaintTracking::Configuration {
       )
     )
   }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    super.isSanitizer(node)
+    or
+    node instanceof DomBasedXss::Sanitizer
+    or
+    node =
+      DataFlow::moduleMember("@sap/xss-secure",
+        ["encodeCSS", "encodeHTML", "encodeJS", "encodeURL", "encodeXML"]).getACall().getArgument(0)
+  }
 }

javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs

@@ -36,3 +36,16 @@ function test3(requestParameters) {
 test1(requestParameters);
 test2(requestParameters);
 test3(requestParameters);
+
+/**
+ * False positive case: the value is sanitized
+ */
+var xssSecure = $.require('@sap/xss-secure');
+function test4(requestParameters) {
+  let someParameterValue4 = requestParameters.get("someParameter4");
+  $.response.contentType = "text/html";
+  $.response.setBody(requestParameterHandler(xssSecure.encodeHTML(someParameterValue4)));
+  $.response.status = $.net.http.OK;
+}
+
+test4(requestParameters);