JavaScript: Fix DomMethodCallExpr.interpretsArgumentsAsHTML.

[xiemaisi]

The first argument to setAttribute is the attribute name, which is generally less sensitive than the second one, so I've changed it. Similar comments apply to the other changes.

I've run a dist-compare (internal link) on nightly.slugs. The results are a bit mixed: while the new results on Lucifier look good, the ones on gatsby are false positives. They are, however, in test code, so wouldn't be displayed on LGTM.

I think a proper fix for these false positives would involve flow-labelifying the XSS query.

If we feel uncomfortable with the new results, I'm happy to scrap/postpone this PR.

[asger-semmle]

Worth landing IMO.

I think a proper fix for these false positives would involve flow-labelifying the XSS query.

Let's talk about this offline

[ghost]

How about restricting this to only flagging assignments to a library set of dangerous attribute names (such as "src", "href", "style")? That is what we do for ordinary property assignments such as innerHtml already.

The "data" property is interesting for an exploratory query, as that property often is read later and used unsanitized in an ordinary XSS sink.

[xiemaisi]

How about restricting this to only flagging assignments to a library set of dangerous attribute names

Good idea in general, although it wouldn't help avoid the false positives in this case; they are all about setting href (to harmless values).

[xiemaisi]

Updated as suggested.

[asger-semmle]

We already have isUrlValuedAttribute which seems to do this more generally, although it currently only works if the element type is known. Maybe we could reuse that?

[xiemaisi]

Hm, interesting thought. That predicate does rely on knowing what the element type is, though, which in this case we don't. (I'll definitely add action and formaction here, though.)

[asger-semmle]

LGTM