JS: Treat document as a DOM value

Author: asgerf

javascript/ql/lib/semmle/javascript/DOM.qll

@@ -445,6 +445,8 @@ module DOM {
     or
     result.hasUnderlyingType(any(string s | s.matches("HTML%Element")))
     or
+    result = documentRef()
+    or
     exists(DataFlow::ClassNode cls |
       cls.getASuperClassNode().getALocalSource() =
         DataFlow::globalVarRef(any(string s | s.matches("HTML%Element"))) and

javascript/ql/test/library-tests/DOM/Customizations.expected

@@ -7,20 +7,28 @@ test_documentRef
 test_locationRef
 | customization.js:3:3:3:14 | doc.location |
 test_domValueRef
+| customization.js:2:13:2:31 | customGetDocument() |
+| customization.js:3:3:3:14 | doc.location |
 | customization.js:4:3:4:20 | doc.getElementById |
 | customization.js:4:3:4:28 | doc.get ... 'test') |
 | event-handler-receiver.html:4:20:4:19 | this |
+| event-handler-receiver.js:1:1:1:8 | document |
 | event-handler-receiver.js:1:1:1:23 | documen ... entById |
 | event-handler-receiver.js:1:1:1:32 | documen ... my-id') |
 | event-handler-receiver.js:1:44:1:43 | this |
 | event-handler-receiver.js:2:3:2:17 | this.parentNode |
+| event-handler-receiver.js:5:1:5:8 | document |
 | event-handler-receiver.js:5:1:5:23 | documen ... entById |
 | event-handler-receiver.js:5:1:5:32 | documen ... my-id') |
 | event-handler-receiver.js:5:60:5:59 | this |
 | event-handler-receiver.js:6:3:6:17 | this.parentNode |
+| nameditems.js:1:1:1:8 | document |
 | nameditems.js:1:1:1:23 | documen ... entById |
 | nameditems.js:1:1:1:30 | documen ... ('foo') |
 | nameditems.js:1:1:2:19 | documen ... em('x') |
+| querySelectorAll.js:2:5:2:12 | document |
 | querySelectorAll.js:2:5:2:29 | documen ... ctorAll |
+| querySelectorAll.js:2:5:2:36 | documen ... ('foo') |
+| querySelectorAll.js:2:46:2:48 | elm |
 | tst.js:49:3:49:8 | window |
 | tst.js:50:3:50:8 | window |