Address review: restrict @HostListener handler to window/document message targets

Drop the plain 'message' event name from the @HostListener matcher. The
postMessage 'message' event is dispatched on window and does not bubble, so an
element-level @HostListener('message') does not receive cross-window messages.
Keeping only 'window:message' and 'document:message' makes the model more
precise and matches the accompanying comment and change note.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: felickz

javascript/ql/lib/semmle/javascript/security/dataflow/DOM.qll

@@ -197,13 +197,13 @@ class PostMessageEventHandler extends Function {
     )
     or
     // Angular's `@HostListener('window:message', ['$event'])` decorator registers
-    // a method as a `message` event handler on the global `window`/`document`
+    // a method as a `message` event handler on the global `window` or `document`
     // target.  The decorated method receives the `MessageEvent` as its first
     // parameter, so it is equivalent to `window.addEventListener('message', ...)`.
     exists(MethodDefinition method, DataFlow::CallNode decorator |
       decorator = DataFlow::moduleMember("@angular/core", "HostListener").getACall() and
       decorator = method.getADecorator().getExpression().flow() and
-      decorator.getArgument(0).mayHaveStringValue(["window:message", "document:message", "message"]) and
+      decorator.getArgument(0).mayHaveStringValue(["window:message", "document:message"]) and
       method.getBody() = this and
       paramIndex = 0
     )