From 7f534b05449f97f4b96fc511704f933bd51ddf4d Mon Sep 17 00:00:00 2001
From: Mauro Baluda <mbaluda@github.com>
Date: Wed, 25 Feb 2026 18:05:42 +0100
Subject: [PATCH 1/2] XSRF test

---
 .../ui5/test/queries/RequestForgery/CSRF.expected           | 4 ++++
 .../frameworks/ui5/test/queries/RequestForgery/CSRF.qlref   | 1 +
 .../ui5/test/queries/RequestForgery/SSRF.expected           | 4 ++++
 .../frameworks/ui5/test/queries/RequestForgery/SSRF.qlref   | 1 +
 .../frameworks/ui5/test/queries/RequestForgery/test.js      | 6 ++++++
 5 files changed, 16 insertions(+)
 create mode 100644 javascript/frameworks/ui5/test/queries/RequestForgery/CSRF.expected
 create mode 100644 javascript/frameworks/ui5/test/queries/RequestForgery/CSRF.qlref
 create mode 100644 javascript/frameworks/ui5/test/queries/RequestForgery/SSRF.expected
 create mode 100644 javascript/frameworks/ui5/test/queries/RequestForgery/SSRF.qlref
 create mode 100644 javascript/frameworks/ui5/test/queries/RequestForgery/test.js

diff --git a/javascript/frameworks/ui5/test/queries/RequestForgery/CSRF.expected b/javascript/frameworks/ui5/test/queries/RequestForgery/CSRF.expected
new file mode 100644
index 000000000..e217064d1
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/RequestForgery/CSRF.expected
@@ -0,0 +1,4 @@
+edges
+nodes
+subpaths
+#select
diff --git a/javascript/frameworks/ui5/test/queries/RequestForgery/CSRF.qlref b/javascript/frameworks/ui5/test/queries/RequestForgery/CSRF.qlref
new file mode 100644
index 000000000..1557850e8
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/RequestForgery/CSRF.qlref
@@ -0,0 +1 @@
+Security/CWE-918/ClientSideRequestForgery.ql
diff --git a/javascript/frameworks/ui5/test/queries/RequestForgery/SSRF.expected b/javascript/frameworks/ui5/test/queries/RequestForgery/SSRF.expected
new file mode 100644
index 000000000..e217064d1
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/RequestForgery/SSRF.expected
@@ -0,0 +1,4 @@
+edges
+nodes
+subpaths
+#select
diff --git a/javascript/frameworks/ui5/test/queries/RequestForgery/SSRF.qlref b/javascript/frameworks/ui5/test/queries/RequestForgery/SSRF.qlref
new file mode 100644
index 000000000..fcb4e41da
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/RequestForgery/SSRF.qlref
@@ -0,0 +1 @@
+Security/CWE-918/RequestForgery.ql
diff --git a/javascript/frameworks/ui5/test/queries/RequestForgery/test.js b/javascript/frameworks/ui5/test/queries/RequestForgery/test.js
new file mode 100644
index 000000000..dfde449f0
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/RequestForgery/test.js
@@ -0,0 +1,6 @@
+import request from 'request';
+$(document).ready(function () {
+    var request = new XMLHttpRequest();
+    var url = jQuery.sap.GetUriParameters().get("url");
+    request.open("GET", url, false);
+});
\ No newline at end of file

From 39d02f70d67d71ccfd46fff658a3c9254ee12be9 Mon Sep 17 00:00:00 2001
From: Mauro Baluda <mbaluda@github.com>
Date: Wed, 25 Feb 2026 18:07:00 +0100
Subject: [PATCH 2/2] getContent is not a generic remote source

---
 javascript/frameworks/ui5/ext/ui5.model.yml                      | 1 -
 .../queries/UI5Xss/xss-html-control-sanitized/UI5Xss.expected    | 1 -
 2 files changed, 2 deletions(-)

diff --git a/javascript/frameworks/ui5/ext/ui5.model.yml b/javascript/frameworks/ui5/ext/ui5.model.yml
index 4112a1cab..a17302ede 100644
--- a/javascript/frameworks/ui5/ext/ui5.model.yml
+++ b/javascript/frameworks/ui5/ext/ui5.model.yml
@@ -115,7 +115,6 @@ extensions:
     data:
       - ["UI5InputControl", "Member[value]", "remote"]
       - ["UI5InputControl", "Member[getValue].ReturnValue", "remote"]
-      - ["UI5HTMLControl", "Member[getContent].ReturnValue", "remote"]
       - ["UI5CodeEditor", "Member[value]", "remote"]
       - ["UI5CodeEditor", "Member[getCurrentValue].ReturnValue", "remote"]
       - ["global", "Member[jQuery].Member[sap].Member[syncHead,syncGet,syncGetText,syncPost,syncPostText].ReturnValue", "remote"]
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/UI5Xss.expected
index 7ce2c54b5..ee57653fa 100644
--- a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/UI5Xss.expected
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/UI5Xss.expected
@@ -18,5 +18,4 @@ edges
 #select
 | webapp/controller/app.controller.js:16:35:16:62 | oModel. ... input') | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:16:35:16:62 | oModel. ... input') | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |
 | webapp/controller/app.controller.js:19:36:19:63 | oModel. ... input') | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:19:36:19:63 | oModel. ... input') | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |
-| webapp/controller/app.controller.js:20:35:20:58 | unsanit ... ntent() | webapp/controller/app.controller.js:20:35:20:58 | unsanit ... ntent() | webapp/controller/app.controller.js:20:35:20:58 | unsanit ... ntent() | XSS vulnerability due to $@. | webapp/controller/app.controller.js:20:35:20:58 | unsanit ... ntent() | user-provided value |
 | webapp/controller/app.controller.js:20:35:20:58 | unsanit ... ntent() | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:20:35:20:58 | unsanit ... ntent() | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |