Fix QHelp/XML syntax

2026-05-01 03:35:13 +02:00 · 2020-03-30 18:55:14 +02:00
parent c6688eb349
commit 40c3b5468f
1 changed files with 7 additions and 13 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.qhelp
@@ -2,40 +2,34 @@
  "-//Semmle//qhelp//EN"
  "qhelp.dtd">
 <qhelp>
+
 <overview>
 <p>Calling <code>openStream</code> on URLs created from remote source can lead to local file disclosure.</p>
-
 <p>If <code>openStream</code> is called on a <code>java.net.URL</code>, that was created from a remote source
 an attacker can try to pass absolute URLs starting with <code>file://</code> or <code>jar://</code> to access
 local resources in addition to remote ones.</p>
-
 </overview>
-<recommendation>

+<recommendation>
 <p>When you construct a URL using <code>java.net.URL</code> from a remote source, make sure
 to not call openStream on it. Instead fetch the URL with a HTTP Client to access its content.
 Also validate that the URL uses the correct protocol and host combination.</p>
-
 </recommendation>
-<example>

+<example>
 <p>The following example shows an URL that is constructed from a request parameter. Afterwards <code>openStream</code>
 is called on the URL, potentially leading to a local file access.</p>
-
 <sample src="OpenStream.java" />
-
 </example>
-<references>

+<references>
 <ul>
 <li>Java Platform, Standard Edition 11, API Specification: 
 <a href="https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html">
 Class URL</a>.
-<li>
+</li>
 </ul>
-
-<!--  LocalWords:  CWE
- -->
-
+<!--  LocalWords:  CWE -->
 </references>
+
 </qhelp>