- However, it is notoriously error-prone to treat the URL as - a string and check if one of the allowed hosts is a substring of the - URL. Malicious URLs can bypass such security checks by embedding one + However, treating the URL as a string and checking if one of the + allowed hosts is a substring of the URL is very prone to errors. + Malicious URLs can bypass such security checks by embedding one of the allowed hosts in an unexpected location.
diff --git a/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp b/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp index a5e8c524ade..6c783a4f729 100644 --- a/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp +++ b/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp @@ -14,10 +14,9 @@- - However, it is notoriously error-prone to treat the URL as - a string and check if one of the allowed hosts is a substring of the - URL. Malicious URLs can bypass such security checks by embedding one + However, treating the URL as a string and checking if one of the + allowed hosts is a substring of the URL is very prone to errors. + Malicious URLs can bypass such security checks by embedding one of the allowed hosts in an unexpected location.