JS: Recognize methods returning DOM objects

javascript/ql/src/semmle/javascript/DOM.qll

@@ -291,10 +291,33 @@ module DOM {
      */
     abstract class Range extends DataFlow::Node { }
 
+    private predicate isDomElementType(ExternalType type) { isDomRootType(type.getASupertype*()) }
+
     private string getADomPropertyName() {
       exists(ExternalInstanceMemberDecl decl |
         result = decl.getName() and
-        isDomRootType(decl.getDeclaringType().getASupertype*())
+        isDomElementType(decl.getDeclaringType())
+      )
+    }
+
+    private predicate isDomElementTypeName(string name) {
+      exists(ExternalType type |
+        isDomElementType(type) and
+        name = type.getName()
+      )
+    }
+
+    /** Gets a method name which, if invoked on a DOM element (possibly of a specific subtype), returns a DOM element. */
+    private string getAMethodProducingDomElements() {
+      exists(ExternalInstanceMemberDecl decl |
+        result = decl.getName() and
+        isDomElementType(decl.getDeclaringType()) and
+        isDomElementTypeName(decl.getDocumentation()
+              .getATagByTitle("return")
+              .getType()
+              .getAnUnderlyingType()
+              .(JSDocNamedTypeExpr)
+              .getName())
       )
     }
 
@@ -339,6 +362,8 @@ module DOM {
         or
         this = domElementCollection()
         or
+        this = domValueRef().getAMethodCall(getAMethodProducingDomElements())
+        or
         this = forms()
         or
         // reading property `foo` - where a child has `name="foo"` - resolves to that child.