JS: Removed encodeURI from sanitizer list for xss and request forgery

Author: Napalys

javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll

@@ -106,9 +106,9 @@ module RequestForgery {
   private import Xss as Xss
 
   /**
-   * A call to `encodeURI` or `encodeURIComponent`, viewed as a sanitizer for request forgery.
+   * A call to `encodeURIComponent`, viewed as a sanitizer for request forgery.
    * These calls will escape "/" to "%2F", which is not a problem for request forgery.
-   * The result from calling `encodeURI` or `encodeURIComponent` is not a valid URL, and only makes sense
+   * The result from calling `encodeURIComponent` is not a valid URL, and only makes sense
    * as a part of a URL.
    */
   class UriEncodingSanitizer extends Sanitizer instanceof Xss::Shared::UriEncodingSanitizer { }

javascript/ql/lib/semmle/javascript/security/dataflow/Xss.qll

@@ -47,13 +47,13 @@ module Shared {
   }
 
   /**
-   * A call to `encodeURI` or `encodeURIComponent`, viewed as a sanitizer for
+   * A call to `encodeURIComponent`, viewed as a sanitizer for
    * XSS vulnerabilities.
    */
   class UriEncodingSanitizer extends Sanitizer, DataFlow::CallNode {
     UriEncodingSanitizer() {
       exists(string name | this = DataFlow::globalVarRef(name).getACall() |
-        name in ["encodeURI", "encodeURIComponent", "escape"]
+        name in ["encodeURIComponent", "escape"]
       )
     }
   }