hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 02:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Use <code> tag in JexlInjection.qhelp

Browse Source
This commit is contained in:
Artem Smotrakov
2021-01-21 22:49:36 +01:00
parent ee6d28b562
commit 73c8338e52
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
java/ql/src/experimental/Security/CWE/CWE-094/JexlInjection.qhelp
View File

@@ -28,8 +28,8 @@ The following example uses untrusted data to build and run a JEXL expression.
<p>
The next example shows how an untrusted JEXL expression can be run
in a sandbox that allows accessing only methods in the `java.lang.Math` class.
The sandbox is implemented using `JexlSandbox` class that is provided by
in a sandbox that allows accessing only methods in the <code>java.lang.Math</code> class.
The sandbox is implemented using <code>JexlSandbox</code> class that is provided by
Apache Commons JEXL 3.
However, it's recommended to avoid using untrusted input in JEXL expressions.
</p>
@@ -37,7 +37,7 @@ However, it's recommended to avoid using untrusted input in JEXL expressions.
<p>
The next example shows another way how a sandbox can be implemented.
It uses a custom implememtation of `JexlUberspect`
It uses a custom implememtation of <code>JexlUberspect</code>
that checks if callees are instances of allowed classes.
Again, it's recommended to avoid using untrusted input in JEXL expressions.
</p>