hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update XsltInjection.qhelp

Browse Source 
Made a few minor tweaks during editorial review
This commit is contained in:
mc
2021-07-29 11:17:39 +01:00
committed by Tony Torralba
parent 13417dbf14
commit 95751fcc21
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
java/ql/src/Security/CWE/CWE-074/XsltInjection.qhelp
View File

@@ -4,12 +4,12 @@
<qhelp> <qhelp>
<overview> <overview>
<p>XSLT (Extensible Stylesheet Language Transformations) is a language for transforming XML <p>XSLT (Extensible Stylesheet Language Transformations) is a language for transforming XML
documents into other XML documents or other formats. Processing of unvalidated XSLT stylesheet can documents into other XML documents or other formats. Processing unvalidated XSLT stylesheets can
let attacker to read arbitrary files from the filesystem or to execute arbitrary code.</p> allow attackers to read arbitrary files from the filesystem or to execute arbitrary code.</p>
</overview> </overview>
<recommendation> <recommendation>
<p>The general recommendation is to not process untrusted XSLT stylesheets. If user provided <p>The general recommendation is to not process untrusted XSLT stylesheets. If user-provided
stylesheets must be processed, enable the secure processing mode.</p> stylesheets must be processed, enable the secure processing mode.</p>
</recommendation> </recommendation>
@@ -17,7 +17,7 @@ stylesheets must be processed, enable the secure processing mode.</p>
<p>In the following examples, the code accepts an XSLT stylesheet from the user and processes it. <p>In the following examples, the code accepts an XSLT stylesheet from the user and processes it.
</p> </p>
<p>In the first example, the user provided XSLT stylesheet is parsed and processed.</p> <p>In the first example, the user-provided XSLT stylesheet is parsed and processed.</p>
<p>In the second example, secure processing mode is enabled.</p> <p>In the second example, secure processing mode is enabled.</p>