JS: Add tests for flow through replace

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -124,6 +124,11 @@ typeInferenceMismatch
 | static-capture-groups.js:2:17:2:24 | source() | static-capture-groups.js:27:14:27:22 | RegExp.$1 |
 | static-capture-groups.js:32:17:32:24 | source() | static-capture-groups.js:38:10:38:18 | RegExp.$1 |
 | static-capture-groups.js:42:12:42:19 | source() | static-capture-groups.js:43:14:43:22 | RegExp.$1 |
+| string-replace.js:3:13:3:20 | source() | string-replace.js:14:10:14:13 | data |
+| string-replace.js:3:13:3:20 | source() | string-replace.js:18:10:18:13 | data |
+| string-replace.js:3:13:3:20 | source() | string-replace.js:21:6:21:41 | safe(). ...  taint) |
+| string-replace.js:3:13:3:20 | source() | string-replace.js:22:6:22:48 | safe(). ...  taint) |
+| string-replace.js:3:13:3:20 | source() | string-replace.js:24:6:24:45 | taint.r ...  + '!') |
 | thisAssignments.js:4:17:4:24 | source() | thisAssignments.js:5:10:5:18 | obj.field |
 | thisAssignments.js:7:19:7:26 | source() | thisAssignments.js:8:10:8:20 | this.field2 |
 | tst.js:2:13:2:20 | source() | tst.js:4:10:4:10 | x |

javascript/ql/test/library-tests/TaintTracking/string-replace.js

@@ -0,0 +1,24 @@
+import 'dummy';
+
+let taint = source();
+
+taint.replace('foo', data => {
+    sink(data); // OK - can only be the value 'foo'
+});
+
+taint.replace(/\d+/, data => {
+    sink(data); // OK - can only be digits
+});
+
+taint.replace(/[^a-z]+/, data => {
+    sink(data); // NOT OK
+});
+
+taint.replace(/&[^&]+;/, data => {
+    sink(data); // NOT OK
+});
+
+sink(safe().replace('foo', data => taint)); // NOT OK
+sink(safe().replace('foo', data => data + taint)); // NOT OK
+
+sink(taint.replace('foo', data => data + '!')); // NOT OK -- propagates through replace call