Ruby: remove extra opening p tag

2026-04-30 11:15:13 +02:00 · 2023-03-17 11:38:49 +00:00
parent 60f313863a
commit ee6288173f
1 changed files with 9 additions and 6 deletions
--- a/ruby/ql/src/experimental/template-injection/TemplateInjection.qhelp
+++ b/ruby/ql/src/experimental/template-injection/TemplateInjection.qhelp
@@ -17,11 +17,14 @@ use a sandboxed environment where access to unsafe attributes and methods is pro

 <example>
 <p>
-        <p>Consider the example given below, an untrusted HTTP parameter <code>name</code> is used to generate a template string. This can lead to remote code execution. </p>
-        <sample src="examples/SSTIBad.rb" />
-        
-        <p>Here we have fixed the problem by including ERB/Slim syntax in the string, then the user input will be rendered but no evaluated.</p>
-        <sample src="examples/SSTIGood.rb" />
+Consider the example given below, an untrusted HTTP parameter <code>name</code> is used to generate a template string. This can lead to remote code execution.
+</p>
+<sample src="examples/SSTIBad.rb" />
+
+<p>
+Here we have fixed the problem by including ERB/Slim syntax in the string, then the user input will be rendered but no evaluated.
+</p>
+<sample src="examples/SSTIGood.rb" />
 </example>

 <references>
@@ -32,4 +35,4 @@ Wikipedia: <a href="https://en.wikipedia.org/wiki/Code_injection#Server_Side_Tem
 Portswigger : <a href="https://portswigger.net/web-security/server-side-template-injection">Server Side Template Injection</a>.
 </li>
 </references>
-</qhelp>
+</qhelp>