add test for json stringify xss

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected

@@ -1,4 +1,18 @@
 nodes
+| JsonStringify.jsx:5:9:5:36 | locale |
+| JsonStringify.jsx:5:9:5:36 | locale |
+| JsonStringify.jsx:5:18:5:36 | req.param("locale") |
+| JsonStringify.jsx:5:18:5:36 | req.param("locale") |
+| JsonStringify.jsx:5:18:5:36 | req.param("locale") |
+| JsonStringify.jsx:14:18:14:60 | `https: ... ocale}` |
+| JsonStringify.jsx:14:53:14:58 | locale |
+| JsonStringify.jsx:22:18:22:65 | `https: ... ocale}` |
+| JsonStringify.jsx:22:58:22:63 | locale |
+| JsonStringify.jsx:30:40:30:45 | locale |
+| JsonStringify.jsx:30:40:30:45 | locale |
+| JsonStringify.jsx:30:40:30:45 | locale |
+| JsonStringify.jsx:34:40:34:61 | JSON.st ... jsonLD) |
+| JsonStringify.jsx:34:40:34:61 | JSON.st ... jsonLD) |
 | addEventListener.js:1:43:1:47 | event |
 | addEventListener.js:1:43:1:47 | event |
 | addEventListener.js:1:43:1:47 | event |
@@ -1154,6 +1168,22 @@ nodes
 | xmlRequest.js:22:24:22:35 | json.message |
 | xmlRequest.js:22:24:22:35 | json.message |
 edges
+| JsonStringify.jsx:5:9:5:36 | locale | JsonStringify.jsx:14:53:14:58 | locale |
+| JsonStringify.jsx:5:9:5:36 | locale | JsonStringify.jsx:22:58:22:63 | locale |
+| JsonStringify.jsx:5:9:5:36 | locale | JsonStringify.jsx:30:40:30:45 | locale |
+| JsonStringify.jsx:5:9:5:36 | locale | JsonStringify.jsx:30:40:30:45 | locale |
+| JsonStringify.jsx:5:9:5:36 | locale | JsonStringify.jsx:30:40:30:45 | locale |
+| JsonStringify.jsx:5:9:5:36 | locale | JsonStringify.jsx:30:40:30:45 | locale |
+| JsonStringify.jsx:5:18:5:36 | req.param("locale") | JsonStringify.jsx:5:9:5:36 | locale |
+| JsonStringify.jsx:5:18:5:36 | req.param("locale") | JsonStringify.jsx:5:9:5:36 | locale |
+| JsonStringify.jsx:5:18:5:36 | req.param("locale") | JsonStringify.jsx:5:9:5:36 | locale |
+| JsonStringify.jsx:5:18:5:36 | req.param("locale") | JsonStringify.jsx:5:9:5:36 | locale |
+| JsonStringify.jsx:14:18:14:60 | `https: ... ocale}` | JsonStringify.jsx:34:40:34:61 | JSON.st ... jsonLD) |
+| JsonStringify.jsx:14:18:14:60 | `https: ... ocale}` | JsonStringify.jsx:34:40:34:61 | JSON.st ... jsonLD) |
+| JsonStringify.jsx:14:53:14:58 | locale | JsonStringify.jsx:14:18:14:60 | `https: ... ocale}` |
+| JsonStringify.jsx:22:18:22:65 | `https: ... ocale}` | JsonStringify.jsx:34:40:34:61 | JSON.st ... jsonLD) |
+| JsonStringify.jsx:22:18:22:65 | `https: ... ocale}` | JsonStringify.jsx:34:40:34:61 | JSON.st ... jsonLD) |
+| JsonStringify.jsx:22:58:22:63 | locale | JsonStringify.jsx:22:18:22:65 | `https: ... ocale}` |
 | addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:24 | event |
 | addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:24 | event |
 | addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:24 | event |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/json-stringify.jsx

@@ -0,0 +1,40 @@
+var express = require("express");
+var app = express();
+
+app.get("/some/path", function (req, res) {
+  const locale = req.param("locale");
+  const jsonLD = {
+    "@context": "https://schema.org",
+    "@type": "BreadcrumbList",
+    itemListElement: [
+      {
+        "@type": "ListItem",
+        position: 1,
+        item: {
+          "@id": `https://example.com/some?locale=${locale}`,
+          name: "Some",
+        },
+      },
+      {
+        "@type": "ListItem",
+        position: 2,
+        item: {
+          "@id": `https://example.com/some/path?locale=${locale}`,
+          name: "Real Dresses",
+        },
+      },
+    ],
+  };
+  <script
+    type="application/ld+json"
+    dangerouslySetInnerHTML={{ __html: locale }} // NOT OK
+  />;
+  <script
+    type="application/ld+json"
+    dangerouslySetInnerHTML={{ __html: JSON.stringify(jsonLD) }} // NOT OK
+  />;
+  <script
+    type="application/ld+json"
+    dangerouslySetInnerHTML={{ __html: JSON.stringify({}) }} // OK
+  />;
+});