Fix standalone tests

Author: joefarebrother

csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/Views/Test/Test.cshtml

@@ -1,7 +1,6 @@
-@namespace test
+@page
+
 @model UserData
-@{
-}
 
 @if (Model != null)
 {

csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/Views/_ViewImports.cshtml

@@ -0,0 +1,3 @@
+@using test
+
+@addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers

csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/XSS.expected

@@ -0,0 +1 @@
+| Views/Test/Test.cshtml:7:27:7:36 | access to property Name | Controllers/TestController.cs:13:40:13:47 | tainted1 : UserData | Views/Test/Test.cshtml:7:27:7:36 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:13:40:13:47 | tainted1 : UserData | User-provided value |

csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/XSS.ql

@@ -0,0 +1,21 @@
+/**
+ * @name Cross-site scripting
+ * @description Writing user input directly to a web page
+ *              allows for a cross-site scripting vulnerability.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 6.1
+ * @precision high
+ * @id cs/web/xss
+ * @tags security
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+import csharp
+import semmle.code.csharp.security.dataflow.XSSQuery
+
+// import PathGraph // exclude query predicates with output dependant on the absolute filepath the tests are run in
+from XssNode source, XssNode sink, string message
+where xssFlow(source, sink, message)
+select sink, source, sink, "$@ flows to here and " + message, source, "User-provided value"

csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/XSS.qlref

@@ -0,0 +1,9 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>net7.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+  </PropertyGroup>
+
+</Project>

csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/cshtml.csproj

@@ -69,9 +69,11 @@ class RazorPageClass extends Class {
   AssemblyAttribute attr;
 
   RazorPageClass() {
-    this.getBaseClass()
-        .getUnboundDeclaration()
-        .hasQualifiedName("Microsoft.AspNetCore.Mvc.Razor", "RazorPage<>") and
+    exists(Class baseClass | baseClass = this.getBaseClass().getUnboundDeclaration() |
+      baseClass.hasQualifiedName("Microsoft.AspNetCore.Mvc.Razor", "RazorPage<>")
+      or
+      baseClass.hasQualifiedName("Microsoft.AspNetCore.Mvc.RazorPages", "Page")
+    ) and
     attr.getFile() = this.getFile() and
     attr.getType()
         .hasQualifiedName("Microsoft.AspNetCore.Razor.Hosting", "RazorCompiledItemAttribute")