CodeQL queries and supporting models for the SAP UI5 JavaScript framework
- UI5 AMD-style components (also via jQuery)
- MVC elements:
- UI5 Controllers and Data Models (literal/external JSON models)
- UI5 declarative Views (XML/JSON/HTML/JS)
- Library/custom UI5 Controls
- Project naming conventions (e.g. Control-Renderer)
- Source/Sink definition via ModelAsData extensions
- Controls inheritance via ModelAsData extensions
The following tables list the main supported features with corresponding test cases
| test | library controls | MaD sources sinks | custom controls | UI5View | JS dataflow | HTML APIs | sanitizer | acc.path via handler |
|---|---|---|---|---|---|---|---|---|
| xss-html-control | ✅︎ | ✅︎ | XMLView | |||||
| xss-custom-control-api1 | ✅︎ | ✅︎ | ✅︎ | XMLView | classic | |||
| xss-custom-control-api2 | ✅︎ | ✅︎ | ✅︎ | XMLView | DOM | |||
| xss-json-view xss-html-view xss-js-view |
✅︎ | ✅︎ | JsonView HTMLView JSView |
|||||
| log-html-control-df | ✅︎ | ✅︎ | XMLView | ✅︎ | ||||
| sanitized | ✅︎ | ✅︎ | ✅︎ | XMLView | ✅︎ | DOM | ✅︎ | |
| xss-event-handlers | ✅︎ | ✅︎ | ✅︎ | XMLView | ✅︎ |
| test | secure | insecure frameOptions | missing frameOptions |
|---|---|---|---|
| clickjacking-deny-all | ✅︎ | ||
| clickjacking-allow-all:l9 clickjacking-allow-all:l28 |
✅︎ | ||
| clickjacking-default-all | ✅︎ |