tests

Author: mbaluda

javascript/frameworks/ui5/ext/ui5.model.yml

@@ -93,7 +93,6 @@ extensions:
       - ["UI5HTMLControl", "Argument[0].Member[content]", "ui5-html-injection"]
       - ["UI5HTMLControl", "Member[content]", "ui5-html-injection"]
       - ["UI5HTMLControl", "Member[setContent].Argument[0]", "ui5-html-injection"]
-      - ["sap/ui/richtexteditor/RichTextEditor", "Argument[0].Member[value]", "ui5-html-injection"]
       - ["sap/ui/richtexteditor/RichTextEditor", "Member[value]", "ui5-html-injection"]
       - ["sap/ui/richtexteditor/RichTextEditor", "Member[setValue].Argument[0]", "ui5-html-injection"]
       - ["Patcher", "Member[unsafeHtml].Argument[0..]", "ui5-html-injection"]

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll

@@ -844,7 +844,6 @@ class UI5Control extends TUI5Control {
    */
   predicate isHTMLSanitized() {
     this.getControlTypeName() = "sap/ui/richtexteditor/RichTextEditor" and
-    this.isSanitizePropertySetTo("sanitizeValue", true) and
     not this.isSanitizePropertySetTo("sanitizeValue", false)
     or
     this.getControlTypeName() = "sap/ui/core/HTML" and

javascript/frameworks/ui5/test/models/sink/UI5ViewSinkTest.expected

@@ -1,2 +1,2 @@
 | sink1.xml:6:5:6:44 | content={path: '/input'} | The binding path `content={path: '/input'}` is an HTML injection sink. |
-| sink1.xml:8:5:8:51 | value={path: '/input'} | The binding path `value={path: '/input'}` is an HTML injection sink. |
+| sink1.xml:8:5:8:73 | value={path: '/input'} | The binding path `value={path: '/input'}` is an HTML injection sink. |

javascript/frameworks/ui5/test/models/sink/sink.js

@@ -126,11 +126,11 @@ sap.ui.define(
     var value = sap.ui.core.util.File.save(code0, code1, "csv", "text/plain", code4, code5);
     var value = sap.ui.core.util.File.save(code0, code1, code2, code3, code4, code5);
 
-    var obj = new HTML({ content: code0, sanitizeContent: true });
+    var obj = new HTML({ content: code0, sanitizeContent: true }); // FP
     var obj = new HTML({ content: code0, sanitizeContent: false });
 
     var obj = new RichTextEditor({ value: code0 });
-    var obj = new RichTextEditor({ value: code0, sanitizeValue: true });
-    var obj = new RichTextEditor({ value: code0, sanitizeValue: false });
+    var obj = new RichTextEditor({ value: code0, sanitizeValue: true }); 
+    var obj = new RichTextEditor({ value: code0, sanitizeValue: false }); // FN
   },
 );

javascript/frameworks/ui5/test/models/sink/sink1.xml

@@ -5,6 +5,6 @@
     xmlns:rte="sap.ui.richtexteditor">
     <core:HTML content="{path: '/input'}"/> <!--XSS sink sap.ui.core.HTML.content -->
     <core:HTML content="{path: '/input'}" sanitizeContent="true"/> <!--sanitized XSS sink sap.ui.core.HTML.content -->
-    <rte:RichTextEditor value="{path: '/input'}"/> <!--XSS sink sap.ui.core.HTML.content -->
-    <rte:RichTextEditor value="{path: '/input'}" sanitizeValue="true"/> <!--sanitized XSS sink sap.ui.core.HTML.content -->
+    <rte:RichTextEditor value="{path: '/input'}" sanitizeValue="false"/> <!--XSS sink sap.ui.core.HTML.content -->
+    <rte:RichTextEditor value="{path: '/input'}"/> <!--sanitized XSS sink sap.ui.core.HTML.content -->
 </mvc:View>

javascript/frameworks/ui5/test/models/sink/xssSinkTest.expected

@@ -12,6 +12,3 @@
 | sink.js:113:32:113:36 | code0 | code0 |
 | sink.js:129:35:129:39 | code0 | code0 |
 | sink.js:130:35:130:39 | code0 | code0 |
-| sink.js:132:43:132:47 | code0 | code0 |
-| sink.js:133:43:133:47 | code0 | code0 |
-| sink.js:134:43:134:47 | code0 | code0 |