From cc08eccf056f1134438014b2ecb53803b87f86d3 Mon Sep 17 00:00:00 2001
From: Esben Sparre Andreasen <esbena@github.com>
Date: Tue, 27 Oct 2020 22:07:57 +0100
Subject: [PATCH] Remove additional Xss sinks

---
 benjamin-button.md                                        | 2 ++
 javascript/ql/lib/semmle/javascript/DOM.qll               | 5 -----
 javascript/ql/lib/semmle/javascript/frameworks/jQuery.qll | 2 --
 3 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/benjamin-button.md b/benjamin-button.md
index c009f7d1f43..57f65b9354a 100644
--- a/benjamin-button.md
+++ b/benjamin-button.md
@@ -26,6 +26,8 @@ Sinks added between 2020-01-01 and 2020-10-06 have been removed. Found by lookin
 - the commit titles of https://github.com/github/codeql/commits/main/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected
 - the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+sink
 
+- recursive type tracking for `jQuery::dollar`, `DOM::domValueRef`.
+
 ## SqlInjection.ql
 
 Sinks added between 2020-01-01 and 2020-10-06 have been removed. Found by looking at:
diff --git a/javascript/ql/lib/semmle/javascript/DOM.qll b/javascript/ql/lib/semmle/javascript/DOM.qll
index ddfc23d0c05..3bf43e7a1d9 100644
--- a/javascript/ql/lib/semmle/javascript/DOM.qll
+++ b/javascript/ql/lib/semmle/javascript/DOM.qll
@@ -392,11 +392,6 @@ module DOM {
     or
     t.start() and
     result = domValueRef().getAMethodCall(["item", "namedItem"])
-    or
-    t.startInProp("target") and
-    result = domEventSource()
-    or
-    exists(DataFlow::TypeTracker t2 | result = domValueRef(t2).track(t2, t))
   }
 
   /** Gets a data flow node that may refer to a value from the DOM. */
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/jQuery.qll b/javascript/ql/lib/semmle/javascript/frameworks/jQuery.qll
index 9c79eae01c0..148aa68ccb8 100644
--- a/javascript/ql/lib/semmle/javascript/frameworks/jQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/jQuery.qll
@@ -485,8 +485,6 @@ module JQuery {
   private DataFlow::SourceNode dollar(DataFlow::TypeTracker t) {
     t.start() and
     result = dollarSource()
-    or
-    exists(DataFlow::TypeTracker t2 | result = dollar(t2).track(t2, t))
   }
 
   /**