From 7cc7ec962e8f12e2869871fb878895894008bbd8 Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Wed, 3 Mar 2021 11:40:59 +0100
Subject: [PATCH] Updated recommendations for avoiding JEXL injections

---
 .../experimental/Security/CWE/CWE-094/JexlInjection.qhelp   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjection.qhelp
index fa6e5b09410..7b49378a4d2 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjection.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjection.qhelp
@@ -14,8 +14,8 @@ and then evaluated, then it may allow the attacker to run arbitrary code.
 
 <recommendation>
 <p>
-Including untrusted input in a JEXL expression should be avoided. If it is not possible,
-JEXL expressions should be run in a sandbox that allows accessing only
+It is generally recommended to avoid using untrusted input in a JEXL expression.
+If it is not possible, JEXL expressions should be run in a sandbox that allows accessing only
 explicitly allowed classes.
 </p>
 </recommendation>
@@ -60,4 +60,4 @@ that checks if callees are instances of allowed classes.
   <a href="https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection">Expression Language Injection</a>.
 </li>
 </references>
-</qhelp>
\ No newline at end of file
+</qhelp>