JS: add tests for missing flow of regular expressions

javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js

@@ -60,3 +60,12 @@ function badPercentEscape(s) {
   s = s.replace(/%/g, '%25');
   return s;
 }
+
+function badEncode(s) {
+  var indirect1 = /"/g;
+  var indirect2 = /'/g;
+  var indirect3 = /&/g;
+  return s.replace(indirect1, """)
+          .replace(indirect2, "'")
+          .replace(indirect3, "&");
+}

javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js

@@ -163,3 +163,8 @@ app.get('/some/path', function(req, res) {
   flowifyComments(untrusted);
   good11(untrusted);
 });
+
+(function (s) {
+	var indirect = /'/;
+	return s.replace(indirect, ""); // NOT OK
+});

javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst.js

@@ -1,2 +1,7 @@
 // NOT OK
 window.location = /.*redirect=([^&]*).*/.exec(document.location.href)[1];
+
+(function(){
+	var indirect = /.*redirect=([^&]*).*/;
+	window.location = indirect.exec(document.location.href)[1];
+});