Update javascript/ql/src/experimental/Security/CWE-020/PostMessageNoOriginCheck.qhelp

Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
2026-04-29 18:55:14 +02:00 · 2020-06-18 19:43:36 +02:00
parent 71a7ec593c
commit e84339d5bf
1 changed files with 2 additions and 2 deletions
--- a/javascript/ql/src/experimental/Security/CWE-020/PostMessageNoOriginCheck.qhelp
+++ b/javascript/ql/src/experimental/Security/CWE-020/PostMessageNoOriginCheck.qhelp
@@ -21,7 +21,7 @@ Always verify the sender's identity of incoming messages.
 <p>In the first example, the `MessageEvent.data` is passed to the `eval` function withouth checking the origin. This means that any window can send arbitrary messages that will be executed in the window receiving the message</p>
 <sample src="examples/postMessageNoOriginCheck.js" />

-<p> In the second example, the `MessageEvent.origin` is verified with an unsecure check. For example, using `event.origin.indexOf('www.example.com') > -1` can be baypassed because the string `www.example.com` could appear anywhere in `event.origin` (i.e. `www.example.com.mydomain.com`)
+<p> In the second example, the `MessageEvent.origin` is verified with an unsecure check. For example, using `event.origin.indexOf('www.example.com') > -1` can be bypassed because the string `www.example.com` could appear anywhere in `event.origin` (i.e. `www.example.com.mydomain.com`)</p>
 <sample src="examples/postMessageWithInsufficientCheck.js" />

 <p> In the third example, the `MessageEvent.origin` is properly checked against a trusted origin. 
@@ -37,4 +37,4 @@ Always verify the sender's identity of incoming messages.
 <li><a href="https://labs.detectify.com/2016/12/08/the-pitfalls-of-postmessage/">The pitfalls of postMessage</a></li>

 </references>
-</qhelp>
+</qhelp>