JS: address review comments for js/unsafe-jquery-plugin

2026-04-28 02:05:14 +02:00 · 2020-01-30 08:32:22 +01:00
parent eaff78b37e
commit c70997febf
5 changed files with 48 additions and 11 deletions
--- a/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.qhelp
+++ b/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.qhelp
@@ -18,7 +18,7 @@
 			Otherwise, the plugin may write user input (for example, a URL query
 			parameter) to a web page without properly sanitizing the input first,
 			which allows for a cross-site scripting vulnerability in the client
-			application.
+			application through dynamic HTML construction.

 		</p>
 	</overview>
@@ -26,7 +26,9 @@
 	<recommendation>
 		<p>

-			Document all options that can lead to cross-site scripting attacks.
+			Document all options that can lead to cross-site scripting
+			attacks, and guard against unsafe inputs where dynamic HTML
+			construction is not intended.

 		</p>
 	</recommendation>