codeql/javascript/ql/test/library-tests/HtmlSanitizers/HtmlSanitizerCalls.ql

import javascript

class Assertion extends DataFlow::CallNode {
  Assertion() {
    getCalleeName() = "checkEscaped" or
    getCalleeName() = "checkStripped" or
    getCalleeName() = "checkNotEscaped"
  }

  predicate shouldBeSanitizer() {
    getCalleeName() != "checkNotEscaped"
  }

  string getMessage() {
    if shouldBeSanitizer() and not getArgument(0) instanceof HtmlSanitizerCall then
      result = "Should be marked as sanitizer"
    else if not shouldBeSanitizer() and getArgument(0) instanceof HtmlSanitizerCall then
      result = "Should not be marked as sanitizer"
    else
      result = "OK"
  }
}

from Assertion assertion
select assertion, assertion.getMessage()