General issue: CWE-116 not reported for unescaped XML output in JavaScript/TypeScript

[aniakowalewska1]

Description
CodeQL security scan did not recognise the CWE-116 (Improper Encoding or Escaping of Output) in a Sitemap.xml.ts file when unescaped values are embedded into XML output.

Example
A sitemap is generated dynamically by interpolating application-derived values
into XML elements:

function generateSitemap(entries: string[]) {
  return `<?xml version="1.0" encoding="UTF-8"?>
<urlset>
  ${entries.map(path => `
    <url>
      <loc>${BASE_URL}/${path}</loc>
    </url>
  `).join("")}
</urlset>`;
}

Values here are embedded directly into XML elements without escaping.

Question
I would like to understand whether this pattern is currently not covered by the JavaScript/TypeScript analysis, or whether the scanning logic intentionally determines that this does not constitute a CWE-116 weakness when generating XML output such as a sitemap.

[hvitved]

I don't think we currently have a query for detecting this.