create a customizations file for StoredXss

Author: erik-krogh

javascript/ql/lib/semmle/javascript/security/dataflow/StoredXssCustomizations.qll

@@ -0,0 +1,47 @@
+/**
+ * Provides default sources, sinks and sanitizers for reasoning about
+ * stored cross-site scripting vulnerabilities.
+ */
+
+import javascript
+
+module StoredXss {
+  private import Xss::Shared as Shared
+
+  /** A data flow source for stored XSS vulnerabilities. */
+  abstract class Source extends Shared::Source { }
+
+  /** A data flow sink for stored XSS vulnerabilities. */
+  abstract class Sink extends Shared::Sink { }
+
+  /** A sanitizer for stored XSS vulnerabilities. */
+  abstract class Sanitizer extends Shared::Sanitizer { }
+
+  /** A sanitizer guard for stored XSS vulnerabilities. */
+  abstract class SanitizerGuard extends Shared::SanitizerGuard { }
+
+  /** An arbitrary XSS sink, considered as a flow sink for stored XSS. */
+  private class AnySink extends Sink {
+    AnySink() { this instanceof Shared::Sink }
+  }
+
+  /**
+   * A regexp replacement involving an HTML meta-character, viewed as a sanitizer for
+   * XSS vulnerabilities.
+   *
+   * The XSS queries do not attempt to reason about correctness or completeness of sanitizers,
+   * so any such replacement stops taint propagation.
+   */
+  private class MetacharEscapeSanitizer extends Sanitizer, Shared::MetacharEscapeSanitizer { }
+
+  private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }
+
+  private class SerializeJavascriptSanitizer extends Sanitizer, Shared::SerializeJavascriptSanitizer {
+  }
+
+  private class IsEscapedInSwitchSanitizer extends Sanitizer, Shared::IsEscapedInSwitchSanitizer { }
+
+  private class QuoteGuard extends SanitizerGuard, Shared::QuoteGuard { }
+
+  private class ContainsHtmlGuard extends SanitizerGuard, Shared::ContainsHtmlGuard { }
+}

javascript/ql/lib/semmle/javascript/security/dataflow/StoredXssQuery.qll

@@ -4,7 +4,7 @@
  */
 
 import javascript
-import Xss::StoredXss
+import StoredXssCustomizations::StoredXss
 
 /**
  * A taint-tracking configuration for reasoning about XSS.

javascript/ql/lib/semmle/javascript/security/dataflow/Xss.qll

@@ -162,44 +162,12 @@ deprecated module ReflectedXss {
   import ReflectedXssCustomizations::ReflectedXss
 }
 
-/** Provides classes and predicates for the stored XSS query. */
-module StoredXss {
-  /** A data flow source for stored XSS vulnerabilities. */
-  abstract class Source extends Shared::Source { }
-
-  /** A data flow sink for stored XSS vulnerabilities. */
-  abstract class Sink extends Shared::Sink { }
-
-  /** A sanitizer for stored XSS vulnerabilities. */
-  abstract class Sanitizer extends Shared::Sanitizer { }
-
-  /** A sanitizer guard for stored XSS vulnerabilities. */
-  abstract class SanitizerGuard extends Shared::SanitizerGuard { }
-
-  /** An arbitrary XSS sink, considered as a flow sink for stored XSS. */
-  private class AnySink extends Sink {
-    AnySink() { this instanceof Shared::Sink }
-  }
-
-  /**
-   * A regexp replacement involving an HTML meta-character, viewed as a sanitizer for
-   * XSS vulnerabilities.
-   *
-   * The XSS queries do not attempt to reason about correctness or completeness of sanitizers,
-   * so any such replacement stops taint propagation.
-   */
-  private class MetacharEscapeSanitizer extends Sanitizer, Shared::MetacharEscapeSanitizer { }
-
-  private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }
-
-  private class SerializeJavascriptSanitizer extends Sanitizer, Shared::SerializeJavascriptSanitizer {
-  }
-
-  private class IsEscapedInSwitchSanitizer extends Sanitizer, Shared::IsEscapedInSwitchSanitizer { }
-
-  private class QuoteGuard extends SanitizerGuard, Shared::QuoteGuard { }
-
-  private class ContainsHtmlGuard extends SanitizerGuard, Shared::ContainsHtmlGuard { }
+/**
+ * DEPRECATED: Use the `StoredXssCustomizations.qll` file instead.
+ * Provides classes and predicates for the stored XSS query.
+ */
+deprecated module StoredXss {
+  import StoredXssCustomizations::StoredXss
 }
 
 /** Provides classes and predicates for the XSS through DOM query. */