reuse existing SanitizerGuard from UnsafeJQueryPlugin

Author: erik-krogh

javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDom.qll

@@ -12,6 +12,7 @@ module XssThroughDom {
   import Xss::XssThroughDom
   private import semmle.javascript.security.dataflow.Xss::DomBasedXss as DomBasedXss
   private import semmle.javascript.dataflow.InferredTypes
+  private import semmle.javascript.security.dataflow.UnsafeJQueryPluginCustomizations::UnsafeJQueryPlugin as UnsafeJQuery
 
   /**
    * A taint-tracking configuration for reasoning about XSS through the DOM.
@@ -30,7 +31,7 @@ module XssThroughDom {
 
     override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
       guard instanceof TypeTestGuard or
-      guard instanceof HasNodePropertySanitizerGuard
+      guard instanceof UnsafeJQuery::PropertyPresenceSanitizer
     }
   }
 
@@ -122,22 +123,4 @@ module XssThroughDom {
       e = typeof.getOperand()
     }
   }
-
-  /**
-   * The precense of a `nodeType` or `jquery` property indicates that the value is a DOM node, and not the text of a DOM node.
-   *
-   * This sanitizer helps prune infeasible paths in type-overloaded functions.
-   */
-  class HasNodePropertySanitizerGuard extends TaintTracking::SanitizerGuardNode {
-    DataFlow::PropRead read;
-
-    HasNodePropertySanitizerGuard() {
-      read = this and
-      read.getPropertyName() = ["nodeType", "jquery"]
-    }
-
-    override predicate sanitizes(boolean outcome, Expr e) {
-      e = read.getBase().asExpr() and outcome = true
-    }
-  }
 }

javascript/ql/test/query-tests/Security/CWE-079/xss-through-dom.js

@@ -62,4 +62,9 @@
 
 	var valMethod = $("textarea").val;
 	$("#id").get(0).innerHTML = valMethod(); // NOT OK
+	
+	var myValue = $(document).find("option").attr("value");
+	if(myValue.property) {
+		$("#id").get(0).innerHTML = myValue; // OK.
+	}
 })();