Merge pull request #4141 from esbena/js/clarify-sanitization

JS: make sanitization a "common" technique rather than "important"

javascript/ql/src/Security/CWE-116/IncompleteHtmlAttributeSanitization.qhelp

@@ -6,7 +6,7 @@
 	<overview>
 		<p>
 
-			Sanitizing untrusted input for HTML meta-characters is an important
+			Sanitizing untrusted input for HTML meta-characters is a common
 			technique for preventing cross-site scripting attacks. Usually, this
 			is done by escaping <code>&lt;</code>, <code>&gt;</code>,
 			<code>&amp;</code> and <code>&quot;</code>. However, the context in which
@@ -38,6 +38,14 @@
 
 		</p>
 
+		<p>
+
+			An even safer alternative is to design the application
+			so that sanitization is not needed, for instance by using HTML
+			templates that are explicit about the values they treat as HTML.
+
+		</p>
+
 	</recommendation>
 
 	<example>

javascript/ql/src/Security/CWE-116/IncompleteSanitization.qhelp

@@ -5,7 +5,7 @@
 
 <overview>
 <p>
-Sanitizing untrusted input is an important technique for preventing injection attacks such as
+Sanitizing untrusted input is a common technique for preventing injection attacks such as
 SQL injection or cross-site scripting. Usually, this is done by escaping meta-characters such
 as quotes in a domain-specific way so that they are treated as normal characters.
 </p>
@@ -31,6 +31,14 @@ still have undesirable effects, such as badly rendered or confusing output.
 Use a (well-tested) sanitization library if at all possible. These libraries are much more
 likely to handle corner cases correctly than a custom implementation.
 </p>
+
+<p>
+
+An even safer alternative is to design the application so that sanitization is not
+needed, for instance by using prepared statements for SQL queries.
+
+</p>
+
 <p>
 Otherwise, make sure to use a regular expression with the <code>g</code> flag to ensure that
 all occurrences are replaced, and remember to escape backslashes if applicable.

javascript/ql/src/Security/CWE-116/UnsafeHtmlExpansion.qhelp

@@ -6,8 +6,8 @@
 	<overview>
 		<p>
 
-			Sanitizing untrusted input for HTML meta-characters is an
-			important technique for preventing cross-site scripting attacks. But
+			Sanitizing untrusted input for HTML meta-characters is a
+			common technique for preventing cross-site scripting attacks. But
 			even a sanitized input can be dangerous to use if it is modified
 			further before a browser treats it as HTML.
 
@@ -28,6 +28,15 @@
 			them as HTML.
 
 		</p>
+
+		<p>
+
+			An even safer alternative is to design the application
+			so that sanitization is not needed, for instance by using HTML
+			templates that are explicit about the values they treat as HTML.
+
+		</p>
+
 	</recommendation>
 
 	<example>

javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.qhelp

@@ -4,7 +4,7 @@
 	<overview>
 		<p>
 
-			Sanitizing untrusted HTTP request parameters is an important
+			Sanitizing untrusted HTTP request parameters is a common
 			technique for preventing injection attacks such as SQL injection or
 			path traversal. This is sometimes done by checking if the request
 			parameters contain blacklisted substrings.
@@ -35,6 +35,15 @@
 			is user-controlled.
 
 		</p>
+
+		<p>
+
+			An even safer alternative is to design the application so that sanitization is not
+			needed, for instance by using prepared statements for SQL queries.
+
+		</p>
+
+
 	</recommendation>
 
 	<example>