Merge pull request #19027 from Napalys/js/escape

JS: Add support for `escape`

javascript/ql/lib/change-notes/2025-03-14-escape.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added additional flow step for `unescape()` and `escape()`.

javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll

@@ -494,7 +494,8 @@ module TaintTracking {
           succ = c and
           c =
             DataFlow::globalVarRef([
-                "encodeURI", "decodeURI", "encodeURIComponent", "decodeURIComponent", "unescape"
+                "encodeURI", "decodeURI", "encodeURIComponent", "decodeURIComponent", "unescape",
+                "escape"
               ]).getACall() and
           pred = c.getArgument(0)
         )

javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll

@@ -892,7 +892,13 @@ module TaintedPath {
       TaintTracking::uriStep(node1, node2)
       or
       exists(DataFlow::CallNode decode |
-        decode.getCalleeName() = "decodeURIComponent" or decode.getCalleeName() = "decodeURI"
+        decode =
+          DataFlow::globalVarRef([
+              "decodeURIComponent",
+              "decodeURI",
+              "escape",
+              "unescape"
+            ]).getACall()
       |
         node1 = decode.getArgument(0) and
         node2 = decode

javascript/ql/lib/semmle/javascript/security/dataflow/Xss.qll

@@ -53,7 +53,7 @@ module Shared {
   class UriEncodingSanitizer extends Sanitizer, DataFlow::CallNode {
     UriEncodingSanitizer() {
       exists(string name | this = DataFlow::globalVarRef(name).getACall() |
-        name = "encodeURI" or name = "encodeURIComponent"
+        name in ["encodeURI", "encodeURIComponent", "escape"]
       )
     }
   }