Add unit test cases to test DangerouslySetElementValueOfInstantiatedHTMLControlPlacedAtDom

Author: jeongsoolee09

javascript/frameworks/ui5/test/models/dangerous_write_to_html_content/dangerousWriteToHtmlContent.expected

@@ -0,0 +1,5 @@
+import javascript
+import advanced_security.javascript.frameworks.ui5.UI5
+import advanced_security.javascript.frameworks.ui5.UI5View
+
+select "TODO", "TODO"

javascript/frameworks/ui5/test/models/dangerous_write_to_html_content/dangerousWriteToHtmlContent.ql

@@ -0,0 +1,5 @@
+{
+  "name": "sap-ui5-xss",
+  "version": "1.0.0",
+  "main": "index.js"
+}

javascript/frameworks/ui5/test/models/dangerous_write_to_html_content/package-lock.json

@@ -0,0 +1,7 @@
+specVersion: '3.0'
+metadata:
+  name: sap-ui5-xss
+type: application
+framework:
+  name: SAPUI5
+  version: "1.115.0"

javascript/frameworks/ui5/test/models/dangerous_write_to_html_content/package.json

@@ -0,0 +1,46 @@
+sap.ui.define(
+  [
+    "sap/ui/core/mvc/Controller",
+    "sap/m/Input",
+    "sap/m/Button",
+    "sap/m/VBox",
+    "sap/ui/core/HTML",
+  ],
+  function (Controller, Input, Button, VBox, HTML) {
+    "use strict";
+    return Controller.extend("codeql-sap-js.controller.app", {
+      onInit: function () {
+        let inputReference = this.getView().byId("unit-test-target1");
+        let htmlControl = this.getView().byId("htmlControl");
+
+        /* ========== 1. Input value piped into static HTML, via a reference ========== */
+        /* 1-1. Value directly set to `HTML.content` */
+        htmlControl.content = inputReference.getValue();
+
+        /* 1-2. Value set by `HTML.setContent(content)` */
+        htmlControl.setContent(inputReference.getValue());
+      },
+
+      doSomething: function () {
+        let inputReference = this.getView().byId("unit-test-target1");
+
+        /* ========== 2. Input value piped into dynamic HTML, instantiated and placed on-demand ========== */
+        /* 2-1. Value passed to the argument of the constructor call */
+        let htmlControl1 = new HTML({
+          content: `<div>${inputReference.getValue()}</div>`,
+        });
+        htmlControl1.placeAt("HTMLPlaceholder");
+
+        /* 2-2. Value directly set to `HTML.content` */
+        let htmlControl2 = new HTML();
+        htmlControl2.content = inputReference.getValue();
+        htmlControl2.placeAt("HTMLPlaceholder");
+
+        /* 2-3. Value set by `HTML.setContent(content)` */
+        let htmlControl3 = new HTML();
+        htmlControl3.setContent(inputReference.getValue());
+        htmlControl3.placeAt("HTMLPlaceholder");
+      },
+    });
+  }
+);

javascript/frameworks/ui5/test/models/dangerous_write_to_html_content/ui5.yaml

@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <title>SAPUI5 XSS</title>
+    <script
+      src="https://sdk.openui5.org/resources/sap-ui-core.js"
+      data-sap-ui-libs="sap.m"
+      data-sap-ui-onInit="module:codeql-sap-js/index"
+      data-sap-ui-resourceroots='{
+            "codeql-sap-js": "./"
+        }'
+    ></script>
+  </head>
+
+  <body class="sapUiBody" id="content"></body>
+  <div id="HTMLPlaceholder" />
+</html>

javascript/frameworks/ui5/test/models/dangerous_write_to_html_content/webapp/controller/app.controller.js

@@ -0,0 +1,11 @@
+sap.ui.define([
+    "sap/ui/core/mvc/XMLView"
+], function (XMLView) {
+    "use strict";
+    XMLView.create({
+        viewName: "codeql-sap-js.view.app"
+    }).then(function (oView) {
+        oView.placeAt("content");
+    });
+
+}); 

javascript/frameworks/ui5/test/models/dangerous_write_to_html_content/webapp/index.html

@@ -0,0 +1,5 @@
+{
+    "sap.app": {
+        "id": "sap-ui5-xss"
+    }
+}

javascript/frameworks/ui5/test/models/dangerous_write_to_html_content/webapp/index.js

@@ -0,0 +1,7 @@
+<mvc:View controllerName="codeql-sap-js.controller.app"
+    xmlns="sap.m"
+    xmlns:mvc="sap.ui.core.mvc">
+    <Input id="unit-test-target1" />
+    <Button id="button" press=".doSomething" />
+    <HTML id="htmlControl" />
+</mvc:View>