JavaScript: Improve XSS sanitizer detection.

We now use local data flow to detect more regexp-based sanitizers.

javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll

@@ -34,7 +34,7 @@ module Shared {
     MetacharEscapeSanitizer() {
       getMethodName() = "replace" and
       exists(RegExpConstant c |
-        c.getLiteral() = getArgument(0).asExpr() and
+        c.getLiteral() = getArgument(0).getALocalSource().asExpr() and
         c.getValue().regexpMatch("['\"&<>]")
       )
     }

javascript/ql/test/query-tests/Security/CWE-079/sanitiser.js

@@ -1,8 +1,9 @@
 function escapeHtml(s) {
+    var amp = /&/g, lt = /</g, gt = />/g;
     return s.toString()
-        .replace(/&/g, '&amp;')
-        .replace(/</g, '&lt;')
-        .replace(/>/g, '&gt;');
+        .replace(amp, '&amp;')
+        .replace(lt, '&lt;')
+        .replace(gt, '&gt;');
 }
 
 function escapeAttr(s) {