JS: Factor out <recommendation> part of qhelp

2026-04-30 11:15:13 +02:00 · 2022-02-16 13:44:45 +01:00
parent 8ac0ec8dfc
commit 3496ae131b
3 changed files with 27 additions and 36 deletions
--- a/javascript/ql/src/Security/CWE-918/ClientSideRequestForgery.qhelp
+++ b/javascript/ql/src/Security/CWE-918/ClientSideRequestForgery.qhelp
@@ -19,24 +19,7 @@
        </p>
    </overview>

-    <recommendation>
-
-        <p>
-            Restrict user inputs in the URL of an outgoing request, in particular:
-            <ul>
-                <li>
-                    Avoid user input in the hostname of the URL.
-                    Pick the hostname from an allow-list instead of constructing it directly from user input.
-                </li>
-                <li>
-                    Take care when user input is part of the pathname of the URL.
-                    Restrict the input so that path traversal ("<code>../<code>")
-                    cannot be used to redirect the request to an unintended endpoint.
-                </li>
-            </ul>
-        </p>
-
-    </recommendation>
+    <include src="RequestForgeryRecommendation.inc.qhelp"/>

    <example>

--- a/javascript/ql/src/Security/CWE-918/RequestForgery.qhelp
+++ b/javascript/ql/src/Security/CWE-918/RequestForgery.qhelp
@@ -20,24 +20,7 @@
        </p>
    </overview>

-    <recommendation>
-
-        <p>
-            Restrict user inputs in the URL of an outgoing request, in particular:
-            <ul>
-                <li>
-                    Avoid user input in the hostname of the URL.
-                    Pick the hostname from an allow-list instead of constructing it directly from user input.
-                </li>
-                <li>
-                    Take care when user input is part of the pathname of the URL.
-                    Restrict the input so that path traversal ("<code>../<code>")
-                    cannot be used to redirect the request to an unintended endpoint.
-                </li>
-            </ul>
-        </p>
-
-    </recommendation>
+    <include src="RequestForgeryRecommendation.inc.qhelp"/>

    <example>

--- a/javascript/ql/src/Security/CWE-918/RequestForgeryRecommendation.inc.qhelp
+++ b/javascript/ql/src/Security/CWE-918/RequestForgeryRecommendation.inc.qhelp
@@ -0,0 +1,25 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+    <recommendation>
+
+        <p>
+            Restrict user inputs in the URL of an outgoing request, in particular:
+        </p>
+        <ul>
+            <li>
+                Avoid user input in the hostname of the URL.
+                Pick the hostname from an allow-list instead of constructing it directly from user input.
+            </li>
+            <li>
+                Take care when user input is part of the pathname of the URL.
+                Restrict the input so that path traversal ("<code>../</code>")
+                cannot be used to redirect the request to an unintended endpoint.
+            </li>
+        </ul>
+
+    </recommendation>
+
+</qhelp>