only flag React elements in ClientSideUrlRedirect if it's a HTML element, or known link class

javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected

@@ -21,6 +21,11 @@ nodes
 | react.js:34:43:34:64 | documen ... on.hash |
 | react.js:34:43:34:74 | documen ... bstr(1) |
 | react.js:34:43:34:74 | documen ... bstr(1) |
+| react.js:40:19:40:35 | document.location |
+| react.js:40:19:40:35 | document.location |
+| react.js:40:19:40:40 | documen ... on.hash |
+| react.js:40:19:40:50 | documen ... bstr(1) |
+| react.js:40:19:40:50 | documen ... bstr(1) |
 | sanitizer.js:2:9:2:25 | url |
 | sanitizer.js:2:15:2:25 | window.name |
 | sanitizer.js:2:15:2:25 | window.name |
@@ -223,6 +228,10 @@ edges
 | react.js:34:43:34:59 | document.location | react.js:34:43:34:64 | documen ... on.hash |
 | react.js:34:43:34:64 | documen ... on.hash | react.js:34:43:34:74 | documen ... bstr(1) |
 | react.js:34:43:34:64 | documen ... on.hash | react.js:34:43:34:74 | documen ... bstr(1) |
+| react.js:40:19:40:35 | document.location | react.js:40:19:40:40 | documen ... on.hash |
+| react.js:40:19:40:35 | document.location | react.js:40:19:40:40 | documen ... on.hash |
+| react.js:40:19:40:40 | documen ... on.hash | react.js:40:19:40:50 | documen ... bstr(1) |
+| react.js:40:19:40:40 | documen ... on.hash | react.js:40:19:40:50 | documen ... bstr(1) |
 | sanitizer.js:2:9:2:25 | url | sanitizer.js:4:27:4:29 | url |
 | sanitizer.js:2:9:2:25 | url | sanitizer.js:4:27:4:29 | url |
 | sanitizer.js:2:9:2:25 | url | sanitizer.js:16:27:16:29 | url |
@@ -396,6 +405,7 @@ edges
 | react.js:21:24:21:45 | documen ... on.hash | react.js:21:24:21:40 | document.location | react.js:21:24:21:45 | documen ... on.hash | Untrusted URL redirection due to $@. | react.js:21:24:21:40 | document.location | user-provided value |
 | react.js:28:43:28:74 | documen ... bstr(1) | react.js:28:43:28:59 | document.location | react.js:28:43:28:74 | documen ... bstr(1) | Untrusted URL redirection due to $@. | react.js:28:43:28:59 | document.location | user-provided value |
 | react.js:34:43:34:74 | documen ... bstr(1) | react.js:34:43:34:59 | document.location | react.js:34:43:34:74 | documen ... bstr(1) | Untrusted URL redirection due to $@. | react.js:34:43:34:59 | document.location | user-provided value |
+| react.js:40:19:40:50 | documen ... bstr(1) | react.js:40:19:40:35 | document.location | react.js:40:19:40:50 | documen ... bstr(1) | Untrusted URL redirection due to $@. | react.js:40:19:40:35 | document.location | user-provided value |
 | sanitizer.js:4:27:4:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:4:27:4:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
 | sanitizer.js:16:27:16:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:16:27:16:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
 | sanitizer.js:19:27:19:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:19:27:19:29 | url | Untrusted URL redirection due to $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |

javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/react.js

@@ -34,4 +34,12 @@ function Page({ router }) {
   return <span onClick={() => router.push(document.location.hash.substr(1))}>Click to XSS 2</span>
 }
 
-export const pageWithRouter = withRouter(Page);
+export const pageWithRouter = withRouter(Page);
+
+export function plainLink() {
+  return <a href={document.location.hash.substr(1)}>my plain link!</a>;
+}
+
+export function someUnknown() {
+  return <FOO data={document.location.hash.substr(1)}>is safe.</FOO>;
+}