JavaScript: Add setHTMLUnsafe and parseHTMLUnsafe as XSS sinks

Add support for two new HTML Sanitizer API methods that interpret
arguments as HTML without sanitization:

- `Element.setHTMLUnsafe(html)`: Added to `interpretsArgumentsAsHtml`
  in DOM.qll, following the same pattern as `insertAdjacentHTML` and
  `document.write`. Receiver validation via `isDomNode` is inherited
  from `DomMethodCallNode`.

- `Document.parseHTMLUnsafe(html)`: Added to `HtmlParserSink` in
  DomBasedXssCustomizations.qll, following the same
  `GlobalVarRefNode` pattern as `DOMParser.parseFromString`. This
  is a static method on the `Document` class.

Both methods are part of the HTML Sanitizer API and are shipping in
browsers (Chrome 124+, Firefox 148+). Unlike their safe counterparts
(`setHTML`, `parseHTML`), these methods do not sanitize input and are
therefore XSS sinks.

References:
- https://developer.mozilla.org/en-US/docs/Web/API/Element/setHTMLUnsafe
- https://developer.mozilla.org/en-US/docs/Web/API/Document/parseHTMLUnsafe_static

Author: sunnyeo

javascript/ql/lib/semmle/javascript/security/dataflow/DOM.qll

@@ -58,6 +58,8 @@ class DomMethodCallNode extends DataFlow::MethodCallNode {
       name = "createElement" and argPos = 0
       or
       name = "appendChild" and argPos = 0
+      or
+      name = "setHTMLUnsafe" and argPos = 0
     )
   }
 

javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll

@@ -196,6 +196,11 @@ module DomBasedXss {
         ccf.getMethodName() = "createContextualFragment" and
         this = ccf.getArgument(0)
       )
+      or
+      exists(DataFlow::GlobalVarRefNode doc |
+        doc.getName() = "Document" and
+        this = doc.getAMethodCall("parseHTMLUnsafe").getArgument(0)
+      )
     }
   }