hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 18:25:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update DoubleEscaping.qhelp

Browse Source 
Somewhat ironic, considering the object of the query.
This commit is contained in:
Max Schaefer
2019-01-21 18:29:44 +08:00
parent 821a7bfadd
commit 43f4fe1a7e
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
javascript/ql/src/Security/CWE-116/DoubleEscaping.qhelp
View File

@@ -52,13 +52,13 @@ The following example shows a pair of hand-written HTML encoding and decoding fu
<p>
The encoding function correctly handles ampersand before the other characters. For example,
the string <code>me &amp; "you"</code> is encoded as <code>me &amp;amp; &amp;quot;you&amp;quot;</code>,
and the string <code>&quot;</code> is encoded as <code>&amp;quot;</code>.
and the string <code>&amp;quot;</code> is encoded as <code>&amp;amp;quot;</code>.
</p>
<p>
The decoding function, however, incorrectly decodes <code>&amp;amp;</code> into <code>&amp;</code>
before handling the other characters. So while it correctly decodes the first example above,
it decodes the second example (<code>&amp;quot;</code>) to <code>&quot;</code> (a single double quote),
it decodes the second example (<code>&amp;amp;quot;</code>) to <code>&quot;</code> (a single double quote),
which is not correct.
</p>