reorder and format rb/reflected-xss qhelp

ql/src/queries/security/cwe-079/ReflectedXSS.qhelp

@@ -1,59 +1,55 @@
 <!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
+ "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
+ "qhelp.dtd">
 <qhelp>
 
-<overview>
+  <overview>
-<p>
+    <p>
-Directly writing user input (for example, an HTTP request parameter) to a webpage
+      Directly writing user input (for example, an HTTP request parameter) to a webpage
-without properly sanitizing the input first, allows for a cross-site scripting
+      without properly sanitizing the input first, allows for a cross-site scripting
-vulnerability.
+      vulnerability.
-</p>
+    </p>
-</overview>
+  </overview>
 
-<recommendation>
+  <recommendation>
-<p>
+    <p>
-To guard against cross-site scripting, consider escaping the input before
+      To guard against cross-site scripting, consider escaping the input before
-writing user input to the page. In some frameworks, such as Rails, escaping will
+      writing user input to the page. In some frameworks, such as Rails, escaping will
-be performed implicitly and by default.
+      be performed implicitly and by default.
-</p>
+    </p>
-</recommendation>
 
-<example>
+    <p>
-<p>
+      Care should be taken when using methods such as <code>html_safe</code> or
-For instance, the following example is safe because the
+      <code>raw</code>. These methods can be used to output a string without escaping
-<code>params[:user_name]</code> content within the output tags will be
+      it. As such, they should only be used when the string has already been manually
-automatically HTML escaped before being output.
+      escaped (for example, with the Rails <code>html_escape</code> method), or when
-</p>
+      the content is otherwise guaranteed to be safe (such as a hard-coded string).
-<sample src="examples/safe.html.erb" />
+    </p>
-</example>
+  </recommendation>
 
-<recommendation>
+  <example>
-<p>
+    <p>
-Care should be taken when using methods such as <code>html_safe</code> or
+      In the following example is safe because the
-<code>raw</code>. These methods can be used to output a string without escaping
+      <code>params[:user_name]</code> content within the output tags will be
-it. As such, they should only be used when the string has already been manually
+      automatically HTML escaped before being output.
-escaped (for example, with the Rails <code>html_escape</code> method), or when
+    </p>
-the content is otherwise guaranteed to be safe (such as a hard-coded string).
+    <sample src="examples/safe.html.erb" />
-</p>
-</recommendation>
 
-<example>
+    <p>
-<p>
+      However, the following example is unsafe because user-controlled input is
-The following example is unsafe because user-controlled input is output without
+      output without escaping due to being marked as <code>html_safe</code>.
-escaping due to being marked as <code>html_safe</code>.
+    </p>
-</p>
+    <sample src="examples/reflective_xss.html.erb" />
-<sample src="examples/reflective_xss.html.erb" />
+  </example>
-</example>
 
-<references>
+  <references>
-<li>
+    <li>
-OWASP:
+      OWASP:
-<a href="https://cheatsheetseries.owasp.org/cheatsheets/Ruby_on_Rails_Cheat_Sheet.html#cross-site-scripting-xss">XSS
+      <a href="https://cheatsheetseries.owasp.org/cheatsheets/Ruby_on_Rails_Cheat_Sheet.html#cross-site-scripting-xss">XSS
-Ruby on Rails Cheatsheet</a>.
+        Ruby on Rails Cheatsheet</a>.
-</li>
+    </li>
-<li>
+    <li>
-Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
+      Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
-</li>
+    </li>
-</references>
+  </references>
 </qhelp>