From 3850f878793f5373ef6bdbef3fd7bf4df4e63348 Mon Sep 17 00:00:00 2001 From: Mark Shannon Date: Fri, 25 Jan 2019 16:47:23 +0000 Subject: [PATCH] Make qhelp for 'Incomplete URL substring sanitization' consistent across languages. --- .../CWE-020/IncompleteUrlSubstringSanitization.qhelp | 6 +++--- .../CWE-020/IncompleteUrlSubstringSanitization.qhelp | 7 +++---- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp b/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp index 80f4a8b44fd..b23557aa557 100644 --- a/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp +++ b/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp @@ -15,9 +15,9 @@

- However, it is notoriously error-prone to treat the URL as - a string and check if one of the allowed hosts is a substring of the - URL. Malicious URLs can bypass such security checks by embedding one + However, treating the URL as a string and checking if one of the + allowed hosts is a substring of the URL is very prone to errors. + Malicious URLs can bypass such security checks by embedding one of the allowed hosts in an unexpected location.

diff --git a/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp b/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp index a5e8c524ade..6c783a4f729 100644 --- a/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp +++ b/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp @@ -14,10 +14,9 @@

- - However, it is notoriously error-prone to treat the URL as - a string and check if one of the allowed hosts is a substring of the - URL. Malicious URLs can bypass such security checks by embedding one + However, treating the URL as a string and checking if one of the + allowed hosts is a substring of the URL is very prone to errors. + Malicious URLs can bypass such security checks by embedding one of the allowed hosts in an unexpected location.