Merge pull request #6193 from esbena/esbena/mootools-xss

JS: add Mootools XSS sinks

javascript/ql/src/javascript.qll

@@ -103,6 +103,7 @@ import semmle.javascript.frameworks.Logging
 import semmle.javascript.frameworks.HttpFrameworks
 import semmle.javascript.frameworks.HttpProxy
 import semmle.javascript.frameworks.Markdown
+import semmle.javascript.frameworks.MooTools
 import semmle.javascript.frameworks.Nest
 import semmle.javascript.frameworks.Next
 import semmle.javascript.frameworks.NoSQL

javascript/ql/src/semmle/javascript/frameworks/MooTools.qll

@@ -0,0 +1,38 @@
+/**
+ * Provides classes for working with MooTools code.
+ */
+
+import javascript
+
+module MooTools {
+  private class Element extends DataFlow::NewNode {
+    Element() {
+      this = DataFlow::globalVarRef("Element").getAnInstantiation() and
+      // sharpen slightly to avoid spurious matches for the global variable
+      this.getNumArgument() = [1, 2]
+    }
+
+    DataFlow::Node getAnElementPropertyValue(string name) {
+      result = this.getOptionArgument(1, name)
+      or
+      exists(DataFlow::MethodCallNode mcn |
+        mcn = this.getAMethodCall(["set", "setProperty"]) and
+        mcn.getArgument(0).mayHaveStringValue(name) and
+        result = mcn.getArgument(1)
+        or
+        mcn = this.getAMethodCall(["set", "setProperties"]) and
+        result = mcn.getOptionArgument(0, name)
+      )
+    }
+  }
+
+  /**
+   * Holds if MooTools interprets `node` as HTML.
+   */
+  predicate interpretsNodeAsHtml(DataFlow::Node node) {
+    exists(Element e |
+      node = e.getAnElementPropertyValue("html") or
+      node = e.getAMethodCall(["appendHtml"]).getArgument(0)
+    )
+  }
+}

javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll

@@ -192,6 +192,8 @@ module DomBasedXss {
         this = instance.getArgument(0) and
         instance.getOptionArgument(1, "runScripts").mayHaveStringValue("dangerously")
       )
+      or
+      MooTools::interpretsNodeAsHtml(this)
     }
   }