Add to ui5 model#253
Conversation
There was a problem hiding this comment.
Pull request overview
This PR extends UI5 XSS detection capabilities by adding sap/m/DatePicker to the input control model and expanding test coverage for various UI5 input components. The changes ensure that DatePicker controls are recognized as potential user input sources for XSS vulnerabilities.
Key changes:
- Added
sap/m/DatePickerto the UI5InputControl model definition - Expanded test coverage to include 9 different UI5 input control types (ComboBoxTextField, DatePicker, TextArea, ComboBoxBase, SearchField, MultiInput, FeedInput, InputBase, and the original Input)
- Updated expected test results for the UI5 view source test to reflect new input sources
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| javascript/frameworks/ui5/ext/ui5.model.yml | Adds sap/m/DatePicker to UI5InputControl model to recognize it as a user input source |
| javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml | Adds test cases for 8 additional UI5 input control types to validate XSS detection |
| javascript/frameworks/ui5/test/models/source/source1.xml | Adds comprehensive test cases for 10 UI5 input control types including MaskEnabler and MaskInput |
| javascript/frameworks/ui5/test/models/source/UI5ViewSourceTest.expected | Updates expected test results to include all new input source detections |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| value="{/input}" /> <!--User input source sap.m.FeedInput.value --> | ||
| <InputBase placeholder="Enter InputBase Payload" | ||
| value="{/input}" /> <!--User input source sap.m.InputBase.value --> | ||
| <core:HTML content="{/input}"/> <!--XSS sink sap.ui.core.HTML.content --> |
There was a problem hiding this comment.
The addition of new input controls in this file causes the <core:HTML> element to move from line 8 (where it was previously) to line 24. However, the expected test results file UI5Xss.expected in this test directory has not been updated and still references line 8 for the HTML content binding. This will cause the test to fail. The expected file needs to be regenerated or manually updated to reflect the new line numbers (line 24 instead of line 8 for content={/input}).
…anced-security/codeql-sap-js into knewbury01/update-ui5-models
What This PR Contributes
adds -
sap/m/DatePickerto the ui5 input modellingsap/m/___components)The testing did not previously include full coverage of types that could be included, testing additions were made for both the remote flow source aspect and full path of alerts involving those types (the UI5 Xss query)
Future Works
none at this time