add tests

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js

@@ -466,3 +466,25 @@ function domMethods() {
   let cell = row.insertCell();
   cell.innerHTML = source; // NOT OK
 }
+
+function urlStuff() {
+  var url = document.location.search.substr(1);
+
+  $("<a>", {href: url}).appendTo("body"); // NOT OK - but not detected [INCONSISTENCY]
+  $("#foo").attr("href", url); // NOT OK - but not detected [INCONSISTENCY]
+  $("#foo").attr({href: url}); // NOT OK - but not detected [INCONSISTENCY]
+  $("<img>", {src: url}).appendTo("body"); // NOT OK - but not detected [INCONSISTENCY]
+  $("<a>", {href: win.location.href}).appendTo("body"); // OK
+
+  $("<img>", {src: "http://google.com/" + url}).appendTo("body"); // OK
+
+  $("<img>", {src: ["http://google.com", url].join("/")}).appendTo("body"); // OK
+
+  if (url.startsWith("https://")) {
+    $("<img>", {src: url}).appendTo("body"); // OK
+  } else {
+    $("<img>", {src: url}).appendTo("body"); // NOT OK - but not detected [INCONSISTENCY]
+  }
+
+  window.open(location.hash.substr(1)); // OK - any JavaScript is executed in another context
+}

javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst13.js

@@ -72,4 +72,13 @@ function quz() {
     var payload = history.location.hash.substr(1);
 
     history.replace(payload); // NOT OK
-}
+}
+
+function bar() {
+    var url = document.location.search.substr(1);
+
+    $("<a>", {href: url}).appendTo("body"); // NOT OK - but not detected [INCONSISTENCY]
+    $("#foo").attr("href", url); // NOT OK - but not detected [INCONSISTENCY]
+    $("#foo").attr({href: url}); // NOT OK - but not detected [INCONSISTENCY]
+    $("<img>", {src: url}).appendTo("body"); // NOT OK - but not detected [INCONSISTENCY]
+}