Python: Minor doc fixes from review

2025-12-20 02:44:30 +01:00 · 2020-06-26 12:06:31 +02:00
parent 22ad8f717f
commit 08384e30af
2 changed files with 4 additions and 3 deletions
--- a/python/ql/src/experimental/CWE-091/Xslt.qhelp
+++ b/python/ql/src/experimental/CWE-091/Xslt.qhelp
@@ -7,7 +7,7 @@
    </overview>
    <recommendation>
        <p>
-            This vulnerability can be prevented by not allowing untrusted user input to be passed as a XSL stylesheet.
+            This vulnerability can be prevented by not allowing untrusted user input to be passed as an XSL stylesheet.
            If the application logic necessiates processing untrusted XSL stylesheets, the input should be properly filtered and sanitized before use.
        </p>
    </recommendation>
--- a/python/ql/src/experimental/semmle/python/security/injection/XSLT.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/XSLT.qll
@@ -41,6 +41,7 @@ module XSLTInjection {
  }

  private predicate etreeXML(ControlFlowNode fromnode, CallNode tonode) {
+    // etree.XML("<xmlContent>")
    exists(CallNode call | call.getFunction().(AttrNode).getObject("XML").pointsTo(etree()) |
      call.getArg(0) = fromnode and
      call = tonode
@@ -48,7 +49,7 @@ module XSLTInjection {
  }

  private predicate etreeFromString(ControlFlowNode fromnode, CallNode tonode) {
-    // fromstring(text, parser=None)
+    // etree.fromstring(text, parser=None)
    exists(CallNode call | call.getFunction().(AttrNode).getObject("fromstring").pointsTo(etree()) |
      call.getArg(0) = fromnode and
      call = tonode
@@ -56,7 +57,7 @@ module XSLTInjection {
  }

  private predicate etreeFromStringList(ControlFlowNode fromnode, CallNode tonode) {
-    // fromstringlist(strings, parser=None)
+    // etree.fromstringlist(strings, parser=None)
    exists(CallNode call |
      call.getFunction().(AttrNode).getObject("fromstringlist").pointsTo(etree())
    |