rename function isHTMLSanitized

Author: mbaluda

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll

@@ -838,28 +838,29 @@ class UI5Control extends TUI5Control {
   string getControlTypeName() { result = this.getQualifiedType().replaceAll(".", "/") }
 
   /**
-   * Holds if the attribute `sanitizeContent`
-   * in controls `sap.ui.core.HTML` and `sap.ui.richttexteditor.RichTextEditor`
-   * is set to true and never set to false anywhere
+   * Holds if the control content is sanitized for HTML
+   * 'sap/ui/core/HTML' sanitized using the property 'sanitizeContent'
+   * 'sap/ui/richttexteditor/RichTextEditor' sanitized using the property 'sanitizeValue'
    */
-  predicate isSanitizedControl() {
-    not this = this.sanitizeContentSetTo(false) and
-    (
-      this.getControlTypeName() = "sap/ui/richttexteditor/RichTextEditor"
-      or
-      this.getControlTypeName() = "sap/ui/core/HTML" and
-      this = this.sanitizeContentSetTo(true)
-    )
+  predicate isHTMLSanitized() {
+    this.getControlTypeName() = "sap/ui/richttexteditor/RichTextEditor" and
+    this.isSanitizePropertySetTo("sanitizeValue", true) and
+    not this.isSanitizePropertySetTo("sanitizeValue", false)
+    or
+    this.getControlTypeName() = "sap/ui/core/HTML" and
+    this.isSanitizePropertySetTo("sanitizeContent", true) and
+    not this.isSanitizePropertySetTo("sanitizeContent", false)
   }
 
-  private predicate sanitizeContentSetTo(boolean val) {
-    this.getAReference().getAPropertyWrite("sanitizeContent").getRhs().mayHaveBooleanValue(val)
+  bindingset[propName, val]
+  private predicate isSanitizePropertySetTo(string propName, boolean val) {
+    /* 1. `sanitizeContent` attribute is set declaratively. */
+    this.getProperty(propName).toString() = val.toString()
     or
-    exists(CallNode setPropertyCall |
-      setPropertyCall = this.getAReference().getAMemberCall("setProperty")
-    |
-      setPropertyCall.getArgument(0).getStringValue() = "sanitizeContent" and
-      setPropertyCall.getArgument(1).mayHaveBooleanValue(val)
+    /* 2. `sanitizeContent` attribute is set programmatically using setProperty(). */
+    exists(CallNode node | node = this.getAReference().getAMemberCall("setProperty") |
+      node.getArgument(0).getStringValue() = propName and
+      not node.getArgument(1).mayHaveBooleanValue(val.booleanNot())
     )
   }
 }

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/DataFlow.qll

@@ -1,7 +1,6 @@
 import javascript
 import semmle.javascript.dataflow.DataFlow as StdLibDataFlow
 import advanced_security.javascript.frameworks.ui5.UI5
-import advanced_security.javascript.frameworks.ui5.UI5View
 import advanced_security.javascript.frameworks.ui5.RemoteFlowSources
 import advanced_security.javascript.frameworks.ui5.dataflow.FlowSteps
 private import PatchDataFlow
@@ -107,7 +106,7 @@ module UI5PathGraph<PathNodeSig ConfigPathNode, PathGraphSig<ConfigPathNode> Con
     }
 
     UI5PathNode getAPrimaryHtmlISink() {
-      not result.asUI5BindingPathNode().getControlDeclaration().isSanitizedControl() and
+      not result.asUI5BindingPathNode().getControlDeclaration().isHTMLSanitized() and
       if
         this.asDataFlowNode() instanceof LocalModelContentBoundBidirectionallyToHtmlISinkControl or
         this.asDataFlowNode() instanceof UI5ExternalModel // TODO: Narrow it down to ExternalModelBoundToHtmlISinkControl