From 61e8f9140456611201d8f3beefe7d4f97671becd Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Fri, 30 Jan 2026 11:40:41 +0000
Subject: [PATCH 1/3] Accept MaD sanitizers for queries with MaD sinks

---
 .../CorsPermissiveConfigurationCustomizations.qll      |  4 ++++
 .../dataflow/ClientSideUrlRedirectCustomizations.qll   |  4 ++++
 .../security/dataflow/CodeInjectionCustomizations.qll  |  4 ++++
 .../dataflow/CommandInjectionCustomizations.qll        |  4 ++++
 .../security/dataflow/DomBasedXssCustomizations.qll    |  4 ++++
 .../dataflow/HardcodedCredentialsCustomizations.qll    | 10 ++++++++++
 .../javascript/security/dataflow/LogInjectionQuery.qll |  4 ++++
 .../security/dataflow/NosqlInjectionCustomizations.qll |  4 ++++
 .../security/dataflow/ReflectedXssCustomizations.qll   |  4 ++++
 .../security/dataflow/RequestForgeryCustomizations.qll |  4 ++++
 .../dataflow/ServerSideUrlRedirectCustomizations.qll   |  4 ++++
 .../security/dataflow/SqlInjectionCustomizations.qll   |  4 ++++
 .../security/dataflow/TaintedPathCustomizations.qll    |  4 ++++
 .../dataflow/UnsafeDeserializationCustomizations.qll   |  4 ++++
 14 files changed, 62 insertions(+)

diff --git a/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll
index e67b9e0d38cb..aa43f4607d86 100644
--- a/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll
@@ -82,4 +82,8 @@ module CorsPermissiveConfiguration {
       )
     }
   }
+
+  private class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "cors-origin") }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
index a8d15d0e6989..01fc7ee5e5d9 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
@@ -270,4 +270,8 @@ module ClientSideUrlRedirect {
   private class SinkFromModel extends Sink {
     SinkFromModel() { ModelOutput::sinkNode(this, "url-redirection") }
   }
+
+  private class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "url-redirection") }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
index 9a72ae4a2315..1d181d975919 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
@@ -438,4 +438,8 @@ module CodeInjection {
   private class SinkFromModel extends Sink {
     SinkFromModel() { ModelOutput::sinkNode(this, "code-injection") }
   }
+
+  private class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "code-injection") }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll
index 6b17adcb773c..b3516a79bf49 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll
@@ -58,4 +58,8 @@ module CommandInjection {
   private class SinkFromModel extends Sink {
     SinkFromModel() { ModelOutput::sinkNode(this, "command-injection") }
   }
+
+  private class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "command-injection") }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll
index b7639ccc3aad..b5c0be71f452 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll
@@ -421,4 +421,8 @@ module DomBasedXss {
   private class SinkFromModel extends Sink {
     SinkFromModel() { ModelOutput::sinkNode(this, "html-injection") }
   }
+
+  private class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "html-injection") }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll
index 8bd9b290fc6b..54811baf14fd 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll
@@ -44,4 +44,14 @@ module HardcodedCredentials {
       not (super.getCredentialsKind() = "jwt key" and isTestFile(this.getFile()))
     }
   }
+
+  /**
+   * Note that a sanitizer with kind `credentials-key` will sanitize flow to
+   * all sinks, not just sinks with the same kind.
+   */
+  private class CredentialSanitizerFromModel extends Sanitizer {
+    CredentialSanitizerFromModel() {
+      exists(string kind | ModelOutput::barrierNode(this, "credentials-" + kind))
+    }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll
index 25474297d09f..6e4dbbf396ed 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll
@@ -88,3 +88,7 @@ class JsonStringifySanitizer extends Sanitizer {
 private class SinkFromModel extends Sink {
   SinkFromModel() { ModelOutput::sinkNode(this, "log-injection") }
 }
+
+private class SanitizerFromModel extends Sanitizer {
+  SanitizerFromModel() { ModelOutput::barrierNode(this, "log-injection") }
+}
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionCustomizations.qll
index 36c0601d501c..3d3eaadf9d3d 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionCustomizations.qll
@@ -47,4 +47,8 @@ module NosqlInjection {
 
   /** An expression interpreted as a NoSql query, viewed as a sink. */
   class NosqlQuerySink extends Sink instanceof NoSql::Query { }
+
+  private class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "nosql-injection") }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll
index 82b6e99dc217..87a522df7a5e 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll
@@ -147,4 +147,8 @@ module ReflectedXss {
   private class SinkFromModel extends Sink {
     SinkFromModel() { ModelOutput::sinkNode(this, "html-injection") }
   }
+
+  private class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "html-injection") }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll
index de2a1e3c6bf6..8d9310d46c24 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll
@@ -114,4 +114,8 @@ module RequestForgery {
   class UriEncodingSanitizer extends Sanitizer instanceof Xss::Shared::UriEncodingSanitizer {
     UriEncodingSanitizer() { this.encodesPathSeparators() }
   }
+
+  private class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "request-forgery") }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectCustomizations.qll
index 18cfaf6f7420..5827e95900da 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectCustomizations.qll
@@ -66,4 +66,8 @@ module ServerSideUrlRedirect {
   private class SinkFromModel extends Sink {
     SinkFromModel() { ModelOutput::sinkNode(this, "url-redirection") }
   }
+
+  private class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "url-redirection") }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionCustomizations.qll
index 8afb65519ad4..6a3a9df41de6 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionCustomizations.qll
@@ -74,4 +74,8 @@ module SqlInjection {
       )
     }
   }
+
+  private class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "sql-injection") }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
index bb1da3f4a236..735026095dff 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -1124,4 +1124,8 @@ module TaintedPath {
   private class SinkFromModel extends Sink {
     SinkFromModel() { ModelOutput::sinkNode(this, "path-injection") }
   }
+
+  private class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "path-injection") }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationCustomizations.qll
index 82f11ec80030..44ce8d56bcd3 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationCustomizations.qll
@@ -69,4 +69,8 @@ module UnsafeDeserialization {
   private class SinkFromModel extends Sink {
     SinkFromModel() { ModelOutput::sinkNode(this, "unsafe-deserialization") }
   }
+
+  private class SanitizerFromModel extends Sanitizer {
+    SanitizerFromModel() { ModelOutput::barrierNode(this, "unsafe-deserialization") }
+  }
 }

From b8f9dd9de5e9250a4ec331690b5e8a863088c5cc Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Tue, 17 Feb 2026 14:38:56 +0000
Subject: [PATCH 2/3] Revert "javascript: add MaD model"

This reverts commit 75bd4a7a12e2a0565189734df42c9ab8e2de6995.
---
 .../lib/semmle/javascript/frameworks/NodeJSLib.model.yml   | 6 ------
 .../IncompleteHtmlAttributeSanitizationCustomizations.qll  | 4 ----
 .../IncompleteHtmlAttributeSanitization.expected           | 7 +++++++
 3 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.model.yml b/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.model.yml
index ce6e0f684257..43035615a126 100644
--- a/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.model.yml
+++ b/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.model.yml
@@ -8,9 +8,3 @@ extensions:
       - ['global', 'Member[process].Member[stdin].Member[on,addListener].WithStringArgument[0=data].Argument[1].Parameter[0]', 'stdin']
       - ['readline', 'Member[createInterface].ReturnValue.Member[question].Argument[1].Parameter[0]', 'stdin']
       - ['readline', 'Member[createInterface].ReturnValue.Member[on,addListener].WithStringArgument[0=line].Argument[1].Parameter[0]', 'stdin']
-
-  - addsTo:
-      pack: codeql/javascript-all
-      extensible: barrierModel
-    data:
-      - ['global', 'Member[encodeURIComponent,encodeURI].ReturnValue', 'request-forgery']
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll
index c93cb07bbc71..f237304be88b 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll
@@ -100,8 +100,4 @@ module IncompleteHtmlAttributeSanitization {
       result = this.getQuote()
     }
   }
-
-  private class SanitizerFromModel extends Sanitizer {
-    SanitizerFromModel() { ModelOutput::barrierNode(this, "request-forgery") }
-  }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteHtmlAttributeSanitization.expected b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteHtmlAttributeSanitization.expected
index 3f1ac1685d79..171c7f07cab2 100644
--- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteHtmlAttributeSanitization.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteHtmlAttributeSanitization.expected
@@ -6,6 +6,7 @@
 | tst.js:253:21:253:45 | s().rep ... /g, '') | tst.js:253:21:253:45 | s().rep ... /g, '') | tst.js:253:21:253:45 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain ampersands or double quotes when it reaches this attribute definition. | tst.js:253:21:253:45 | s().rep ... /g, '') | this final HTML sanitizer step |
 | tst.js:254:32:254:56 | s().rep ... /g, '') | tst.js:254:32:254:56 | s().rep ... /g, '') | tst.js:254:32:254:56 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain ampersands or double quotes when it reaches this attribute definition. | tst.js:254:32:254:56 | s().rep ... /g, '') | this final HTML sanitizer step |
 | tst.js:270:61:270:85 | s().rep ... /g, '') | tst.js:270:61:270:85 | s().rep ... /g, '') | tst.js:270:61:270:85 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain ampersands or double quotes when it reaches this attribute definition. | tst.js:270:61:270:85 | s().rep ... /g, '') | this final HTML sanitizer step |
+| tst.js:272:9:272:51 | encodeU ... /g,'')) | tst.js:272:28:272:50 | s().rep ... ]/g,'') | tst.js:272:9:272:51 | encodeU ... /g,'')) | Cross-site scripting vulnerability as the output of $@ may contain double quotes when it reaches this attribute definition. | tst.js:272:28:272:50 | s().rep ... ]/g,'') | this final HTML sanitizer step |
 | tst.js:275:9:275:21 | arr.join(" ") | tst.js:274:12:274:94 | s().val ... g , '') | tst.js:275:9:275:21 | arr.join(" ") | Cross-site scripting vulnerability as the output of $@ may contain double quotes when it reaches this attribute definition. | tst.js:274:12:274:94 | s().val ... g , '') | this final HTML sanitizer step |
 | tst.js:300:10:300:33 | s().rep ... ]/g,'') | tst.js:300:10:300:33 | s().rep ... ]/g,'') | tst.js:300:10:300:33 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:300:10:300:33 | s().rep ... ]/g,'') | this final HTML sanitizer step |
 | tst.js:301:10:301:32 | s().rep ... ]/g,'') | tst.js:301:10:301:32 | s().rep ... ]/g,'') | tst.js:301:10:301:32 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:301:10:301:32 | s().rep ... ]/g,'') | this final HTML sanitizer step |
@@ -13,6 +14,7 @@
 | tst.js:303:10:303:34 | s().rep ... /g, '') | tst.js:303:10:303:34 | s().rep ... /g, '') | tst.js:303:10:303:34 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:303:10:303:34 | s().rep ... /g, '') | this final HTML sanitizer step |
 | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | this final HTML sanitizer step |
 edges
+| tst.js:272:28:272:50 | s().rep ... ]/g,'') | tst.js:272:9:272:51 | encodeU ... /g,'')) | provenance |  |
 | tst.js:274:6:274:8 | arr | tst.js:275:9:275:11 | arr | provenance |  |
 | tst.js:274:12:274:94 | s().val ... g , '') | tst.js:274:6:274:8 | arr | provenance |  |
 | tst.js:275:9:275:11 | arr | tst.js:275:9:275:21 | arr.join(" ") | provenance |  |
@@ -24,6 +26,8 @@ nodes
 | tst.js:253:21:253:45 | s().rep ... /g, '') | semmle.label | s().rep ... /g, '') |
 | tst.js:254:32:254:56 | s().rep ... /g, '') | semmle.label | s().rep ... /g, '') |
 | tst.js:270:61:270:85 | s().rep ... /g, '') | semmle.label | s().rep ... /g, '') |
+| tst.js:272:9:272:51 | encodeU ... /g,'')) | semmle.label | encodeU ... /g,'')) |
+| tst.js:272:28:272:50 | s().rep ... ]/g,'') | semmle.label | s().rep ... ]/g,'') |
 | tst.js:274:6:274:8 | arr | semmle.label | arr |
 | tst.js:274:12:274:94 | s().val ... g , '') | semmle.label | s().val ... g , '') |
 | tst.js:275:9:275:11 | arr | semmle.label | arr |
@@ -34,3 +38,6 @@ nodes
 | tst.js:303:10:303:34 | s().rep ... /g, '') | semmle.label | s().rep ... /g, '') |
 | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | semmle.label | s().rep ... ;";\\n\\t}) |
 subpaths
+testFailures
+| tst.js:272:9:272:51 | encodeU ... /g,'')) | Unexpected result: Alert |
+| tst.js:272:28:272:50 | s().rep ... ]/g,'') | Unexpected result: Alert |

From 05f9b4124dbfb09b7c3d0d7cbaa3959e4104c0cc Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Tue, 17 Feb 2026 14:39:04 +0000
Subject: [PATCH 3/3] Revert "javascript: remove sanitizer to be replaced by
 model"

This reverts commit da2f77d6159bacad91d85040416e69561f2061e2.
---
 ...completeHtmlAttributeSanitizationCustomizations.qll | 10 ++++++++++
 .../IncompleteHtmlAttributeSanitization.expected       |  7 -------
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll
index f237304be88b..f421a92298f9 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll
@@ -100,4 +100,14 @@ module IncompleteHtmlAttributeSanitization {
       result = this.getQuote()
     }
   }
+
+  /**
+   * An encoder for potentially malicious characters, as a sanitizer
+   * for incomplete HTML sanitization vulnerabilities.
+   */
+  class EncodingSanitizer extends Sanitizer {
+    EncodingSanitizer() {
+      this = DataFlow::globalVarRef(["encodeURIComponent", "encodeURI"]).getACall()
+    }
+  }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteHtmlAttributeSanitization.expected b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteHtmlAttributeSanitization.expected
index 171c7f07cab2..3f1ac1685d79 100644
--- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteHtmlAttributeSanitization.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteHtmlAttributeSanitization.expected
@@ -6,7 +6,6 @@
 | tst.js:253:21:253:45 | s().rep ... /g, '') | tst.js:253:21:253:45 | s().rep ... /g, '') | tst.js:253:21:253:45 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain ampersands or double quotes when it reaches this attribute definition. | tst.js:253:21:253:45 | s().rep ... /g, '') | this final HTML sanitizer step |
 | tst.js:254:32:254:56 | s().rep ... /g, '') | tst.js:254:32:254:56 | s().rep ... /g, '') | tst.js:254:32:254:56 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain ampersands or double quotes when it reaches this attribute definition. | tst.js:254:32:254:56 | s().rep ... /g, '') | this final HTML sanitizer step |
 | tst.js:270:61:270:85 | s().rep ... /g, '') | tst.js:270:61:270:85 | s().rep ... /g, '') | tst.js:270:61:270:85 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain ampersands or double quotes when it reaches this attribute definition. | tst.js:270:61:270:85 | s().rep ... /g, '') | this final HTML sanitizer step |
-| tst.js:272:9:272:51 | encodeU ... /g,'')) | tst.js:272:28:272:50 | s().rep ... ]/g,'') | tst.js:272:9:272:51 | encodeU ... /g,'')) | Cross-site scripting vulnerability as the output of $@ may contain double quotes when it reaches this attribute definition. | tst.js:272:28:272:50 | s().rep ... ]/g,'') | this final HTML sanitizer step |
 | tst.js:275:9:275:21 | arr.join(" ") | tst.js:274:12:274:94 | s().val ... g , '') | tst.js:275:9:275:21 | arr.join(" ") | Cross-site scripting vulnerability as the output of $@ may contain double quotes when it reaches this attribute definition. | tst.js:274:12:274:94 | s().val ... g , '') | this final HTML sanitizer step |
 | tst.js:300:10:300:33 | s().rep ... ]/g,'') | tst.js:300:10:300:33 | s().rep ... ]/g,'') | tst.js:300:10:300:33 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:300:10:300:33 | s().rep ... ]/g,'') | this final HTML sanitizer step |
 | tst.js:301:10:301:32 | s().rep ... ]/g,'') | tst.js:301:10:301:32 | s().rep ... ]/g,'') | tst.js:301:10:301:32 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:301:10:301:32 | s().rep ... ]/g,'') | this final HTML sanitizer step |
@@ -14,7 +13,6 @@
 | tst.js:303:10:303:34 | s().rep ... /g, '') | tst.js:303:10:303:34 | s().rep ... /g, '') | tst.js:303:10:303:34 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:303:10:303:34 | s().rep ... /g, '') | this final HTML sanitizer step |
 | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | this final HTML sanitizer step |
 edges
-| tst.js:272:28:272:50 | s().rep ... ]/g,'') | tst.js:272:9:272:51 | encodeU ... /g,'')) | provenance |  |
 | tst.js:274:6:274:8 | arr | tst.js:275:9:275:11 | arr | provenance |  |
 | tst.js:274:12:274:94 | s().val ... g , '') | tst.js:274:6:274:8 | arr | provenance |  |
 | tst.js:275:9:275:11 | arr | tst.js:275:9:275:21 | arr.join(" ") | provenance |  |
@@ -26,8 +24,6 @@ nodes
 | tst.js:253:21:253:45 | s().rep ... /g, '') | semmle.label | s().rep ... /g, '') |
 | tst.js:254:32:254:56 | s().rep ... /g, '') | semmle.label | s().rep ... /g, '') |
 | tst.js:270:61:270:85 | s().rep ... /g, '') | semmle.label | s().rep ... /g, '') |
-| tst.js:272:9:272:51 | encodeU ... /g,'')) | semmle.label | encodeU ... /g,'')) |
-| tst.js:272:28:272:50 | s().rep ... ]/g,'') | semmle.label | s().rep ... ]/g,'') |
 | tst.js:274:6:274:8 | arr | semmle.label | arr |
 | tst.js:274:12:274:94 | s().val ... g , '') | semmle.label | s().val ... g , '') |
 | tst.js:275:9:275:11 | arr | semmle.label | arr |
@@ -38,6 +34,3 @@ nodes
 | tst.js:303:10:303:34 | s().rep ... /g, '') | semmle.label | s().rep ... /g, '') |
 | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | semmle.label | s().rep ... ;";\\n\\t}) |
 subpaths
-testFailures
-| tst.js:272:9:272:51 | encodeU ... /g,'')) | Unexpected result: Alert |
-| tst.js:272:28:272:50 | s().rep ... ]/g,'') | Unexpected result: Alert |