JS: support flow out of "this" in constructor call

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -1,4 +1,10 @@
 | advanced-callgraph.js:2:13:2:20 | source() | advanced-callgraph.js:6:22:6:22 | v |
+| constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:18:8:18:14 | c.taint |
+| constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:22:8:22:19 | c_safe.taint |
+| constructor-calls.js:10:16:10:23 | source() | constructor-calls.js:26:8:26:14 | d.taint |
+| constructor-calls.js:10:16:10:23 | source() | constructor-calls.js:30:8:30:19 | d_safe.taint |
+| constructor-calls.js:14:15:14:22 | source() | constructor-calls.js:17:8:17:14 | c.param |
+| constructor-calls.js:14:15:14:22 | source() | constructor-calls.js:25:8:25:14 | d.param |
 | partialCalls.js:4:17:4:24 | source() | partialCalls.js:17:14:17:14 | x |
 | partialCalls.js:4:17:4:24 | source() | partialCalls.js:20:14:20:14 | y |
 | partialCalls.js:4:17:4:24 | source() | partialCalls.js:30:14:30:20 | x.value |

javascript/ql/test/library-tests/TaintTracking/constructor-calls.js

@@ -0,0 +1,31 @@
+class EcmaClass {
+  constructor(param) {
+    this.param = param;
+    this.taint = source();
+  }
+}
+
+function JsClass(param) {
+  this.param = param;
+  this.taint = source();
+}
+
+function test() {
+  let taint = source();
+
+  let c = new EcmaClass(taint);
+  sink(c.param); // NOT OK
+  sink(c.taint); // NOT OK
+  
+  let c_safe = new EcmaClass("safe");
+  sink(c_safe.param); // OK
+  sink(c_safe.taint); // NOT OK
+  
+  let d = new JsClass(taint);
+  sink(d.param); // NOT OK
+  sink(d.taint); // NOT OK
+  
+  let d_safe = new JsClass("safe");
+  sink(d_safe.param); // OK
+  sink(d_safe.taint); // NOT OK
+}