advanced-security · data-douser · Mar 18, 2026 · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026
diff --git a/...t/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/UI5DataFlow.qll b/...t/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/UI5DataFlow.qll
@@ -61,6 +61,15 @@ class LocalModelContentBoundBidirectionallyToHtmlISinkControl extends DomBasedXs
   UI5Control getControlDeclaration() { result = controlDeclaration }
 }
 
+/**
+ * A local source for cases where the Control implementation is separate from the complete UI5 app.
+ */
+class LocalModelStringPropertySource extends DomBasedXss::Source {
+  LocalModelStringPropertySource() {
+    this = any(PropertyMetadata propMeta | propMeta.isUnrestrictedStringType())
+  }
+}
+
 module UI5PathGraph<PathNodeSig ConfigPathNode, PathGraphSig<ConfigPathNode> ConfigPathGraph> {
   private newtype TNode =
     TUI5BindingPathNode(UI5BindingPath path) or

diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/UI5Xss.expected
@@ -13,3 +13,4 @@ edges
 | webapp/controls/Book.js:133:8:133:26 | oControl.getTitle() | webapp/controls/Book.js:132:7:134:15 | "<div>T ... </div>" |
 #select
 | webapp/controls/Book.js:132:7:134:15 | "<div>T ... </div>" | webapp/controller/App.Controller.js:23:25:23:47 | oSearch ... Value() | webapp/controls/Book.js:132:7:134:15 | "<div>T ... </div>" | XSS vulnerability due to $@. | webapp/controller/App.Controller.js:23:25:23:47 | oSearch ... Value() | user-provided value |
+| webapp/controls/Book.js:132:7:134:15 | "<div>T ... </div>" | webapp/controls/Book.js:17:13:17:30 | { type: "string" } | webapp/controls/Book.js:132:7:134:15 | "<div>T ... </div>" | XSS vulnerability due to $@. | webapp/controls/Book.js:17:13:17:30 | { type: "string" } | user-provided value |
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/UI5Xss.expected
@@ -14,4 +14,5 @@ edges
 | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:11:26:11:45 | new JSONModel(oData) |
 | webapp/view/app.view.xml:8:5:8:38 | text={/input} | webapp/controller/app.controller.js:9:17:9:27 | input: null |
 #select
+| webapp/control/xss.js:14:23:14:40 | oControl.getText() | webapp/control/xss.js:7:23:7:40 | { type: "string" } | webapp/control/xss.js:14:23:14:40 | oControl.getText() | XSS vulnerability due to $@. | webapp/control/xss.js:7:23:7:40 | { type: "string" } | user-provided value |
 | webapp/control/xss.js:14:23:14:40 | oControl.getText() | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/control/xss.js:14:23:14:40 | oControl.getText() | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/UI5Xss.expected
@@ -14,4 +14,5 @@ edges
 | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:11:26:11:45 | new JSONModel(oData) |
 | webapp/view/app.view.xml:8:5:8:38 | text={/input} | webapp/controller/app.controller.js:9:17:9:27 | input: null |
 #select
+| webapp/control/xss.js:14:32:14:49 | oControl.getText() | webapp/control/xss.js:7:23:7:40 | { type: "string" } | webapp/control/xss.js:14:32:14:49 | oControl.getText() | XSS vulnerability due to $@. | webapp/control/xss.js:7:23:7:40 | { type: "string" } | user-provided value |
 | webapp/control/xss.js:14:32:14:49 | oControl.getText() | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/control/xss.js:14:32:14:49 | oControl.getText() | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/UI5Xss.expected
@@ -14,4 +14,5 @@ edges
 | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:11:26:11:45 | new JSONModel(oData) |
 | webapp/view/app.view.xml:8:5:8:38 | text={/input} | webapp/controller/app.controller.js:9:17:9:27 | input: null |
 #select
+| webapp/control/xss.js:14:28:14:45 | oControl.getText() | webapp/control/xss.js:7:19:7:36 | { type: "string" } | webapp/control/xss.js:14:28:14:45 | oControl.getText() | XSS vulnerability due to $@. | webapp/control/xss.js:7:19:7:36 | { type: "string" } | user-provided value |
 | webapp/control/xss.js:14:28:14:45 | oControl.getText() | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/control/xss.js:14:28:14:45 | oControl.getText() | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/UI5Xss.expected
@@ -14,4 +14,5 @@ edges
 | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:11:26:11:45 | new JSONModel(oData) |
 | webapp/view/app.view.xml:8:5:8:38 | text={/input} | webapp/controller/app.controller.js:9:17:9:27 | input: null |
 #select
+| webapp/control/xssRenderer.js:8:28:8:45 | oControl.getText() | webapp/control/xssBase.js:5:15:5:32 | { type: "string" } | webapp/control/xssRenderer.js:8:28:8:45 | oControl.getText() | XSS vulnerability due to $@. | webapp/control/xssBase.js:5:15:5:32 | { type: "string" } | user-provided value |
 | webapp/control/xssRenderer.js:8:28:8:45 | oControl.getText() | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/control/xssRenderer.js:8:28:8:45 | oControl.getText() | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/UI5Xss.expected
@@ -14,4 +14,5 @@ edges
 | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:11:26:11:45 | new JSONModel(oData) |
 | webapp/view/app.view.xml:8:5:8:38 | text={/input} | webapp/controller/app.controller.js:9:17:9:27 | input: null |
 #select
+| webapp/control/xssRenderer.js:8:28:8:45 | oControl.getText() | webapp/control/xss.js:7:23:7:40 | { type: "string" } | webapp/control/xssRenderer.js:8:28:8:45 | oControl.getText() | XSS vulnerability due to $@. | webapp/control/xss.js:7:23:7:40 | { type: "string" } | user-provided value |
 | webapp/control/xssRenderer.js:8:28:8:45 | oControl.getText() | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/control/xssRenderer.js:8:28:8:45 | oControl.getText() | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/UI5Xss.expected
@@ -14,4 +14,5 @@ edges
 | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:11:26:11:45 | new JSONModel(oData) |
 | webapp/view/app.view.xml:8:5:8:38 | text={/input} | webapp/controller/app.controller.js:9:17:9:27 | input: null |
 #select
+| webapp/control/renderer.js:8:28:8:45 | oControl.getText() | webapp/control/xss.js:7:23:7:40 | { type: "string" } | webapp/control/renderer.js:8:28:8:45 | oControl.getText() | XSS vulnerability due to $@. | webapp/control/xss.js:7:23:7:40 | { type: "string" } | user-provided value |
 | webapp/control/renderer.js:8:28:8:45 | oControl.getText() | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/control/renderer.js:8:28:8:45 | oControl.getText() | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |