JS: introduce Vue XSS sinks

javascript/ql/src/semmle/javascript/frameworks/Vue.qll

@@ -3,7 +3,6 @@
  */
 
 import javascript
-import semmle.javascript.security.dataflow.DomBasedXss
 
 module Vue {
   /**
@@ -372,5 +371,4 @@ module Vue {
    * A `.vue` file.
    */
   class VueFile extends File { VueFile() { getExtension() = "vue" } }
-
 }

javascript/ql/src/semmle/javascript/security/dataflow/DomBasedXss.qll

@@ -188,4 +188,26 @@ module DomBasedXss {
 
     override string getVulnerabilityKind() { result = "HTML injection" }
   }
+
+
+  /**
+   * A write to the `template` option of a Vue instance, viewed as an XSS sink.
+   */
+  class VueTemplateSink extends DomBasedXss::Sink {
+    VueTemplateSink() { this = any(Vue::Instance i).getTemplate() }
+  }
+
+  /**
+   * The tag name argument to the `createElement` parameter of the
+   * `render` method of a Vue instance, viewed as an XSS sink.
+   */
+  class VueCreateElementSink extends DomBasedXss::Sink {
+    VueCreateElementSink() {
+      exists(Vue::Instance i, DataFlow::FunctionNode f |
+        f.flowsTo(i.getRender()) and
+        this = f.getParameter(0).getACall().getArgument(0)
+      )
+    }
+  }
+
 }

javascript/ql/test/library-tests/frameworks/Vue/XssSink.expected

@@ -0,0 +1,2 @@
+| tst.js:5:13:5:13 | a |
+| tst.js:38:12:38:17 | danger |

javascript/ql/test/library-tests/frameworks/Vue/XssSink.ql

@@ -0,0 +1,4 @@
+import javascript
+import semmle.javascript.security.dataflow.DomBasedXss
+
+select any(DomBasedXss::Sink s)