hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 03:36:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

spelling: response

Browse Source 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
This commit is contained in:
Josh Soref
2022-10-09 06:37:50 -04:00
parent 1a14c06008
commit 08a79531cf
2 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulation.qhelp
View File

@@ -19,7 +19,7 @@
<p>
In general, using user input to determine Spring view name should be avoided.
If user input must be included in the expression, the controller can be annotated by
a <code>@ReponseBody</code> annotation. In this case, Spring Framework does not interpret
a <code>@ResponseBody</code> annotation. In this case, Spring Framework does not interpret
it as a view name, but just returns this string in HTTP Response. The same applies to using
a <code>@RestController</code> annotation on a class, as internally it inherits <code>@ResponseBody</code>.
</p>
@@ -31,7 +31,7 @@
</p>
<sample src="SpringViewBad.java" />
<p>
This can be easily prevented by using the <code>ResponseBody</code> annotation which marks the reponse is already processed preventing exploitation of Spring View Manipulation vulnerabilities. Alternatively, this can also be fixed by adding a <code>HttpServletResponse</code> parameter to the method definition as shown in the example below.
This can be easily prevented by using the <code>ResponseBody</code> annotation which marks the response is already processed preventing exploitation of Spring View Manipulation vulnerabilities. Alternatively, this can also be fixed by adding a <code>HttpServletResponse</code> parameter to the method definition as shown in the example below.
</p>
<sample src="SpringViewGood.java" />
</example>