Docs changes

java/ql/lib/semmle/code/java/frameworks/Velocity.qll

@@ -1,4 +1,4 @@
-/** Definitions related to the Apache Velocity Templating library. */
+/** Definitions related to the Apache Velocity templating library. */
 
 import java
 private import semmle.code.java.dataflow.ExternalFlow

java/ql/src/Security/CWE/CWE-094/TemplateInjection.qhelp

@@ -1,31 +1,32 @@
 <!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
 <qhelp>
-  <overview>
-    <p>
-            Template Injection occurs when user input is embedded in a template in an unsafe manner.
-            An attacker can use native template syntax to inject a malicious payload into a template, which is then executed server-side. This permits the attacker to run arbitrary code in the server's context.</p>
-  </overview>
-  <recommendation>
-    <p>
-            To fix this, ensure that an untrusted value is not used as a template. If the application requirements do not allow this, use a sandboxed environment where access to unsafe attributes and methods is prohibited.
-        </p>
-  </recommendation>
-  <example>
-    <p>
-      In the example given below, an untrusted HTTP parameter
-      <code>code</code>
-      is used as a Velocity template string. This can lead to remote code execution.
-    </p>
-    <sample src="SSTIBad.java" />
+<overview>
+<p>
+Template Injection occurs when user input is embedded in a template's code in an unsafe manner.
+An attacker can use native template syntax to inject a malicious payload into a template, which is then executed server-side.
+This permits the attacker to run arbitrary code in the server's context.
+</p>
+</overview>
+<recommendation>
+<p>
+To fix this, ensure that untrusted input is not used as part of a template's code. If the application requirements do not allow this,
+use a sandboxed environment where access to unsafe attributes and methods is prohibited.
+</p>
+</recommendation>
+<example>
+<p>
+In the example given below, an untrusted HTTP parameter <code>code</code> is used as a Velocity template string. 
+This can lead to remote code execution.
+</p>
+<sample src="SSTIBad.java" />
 
-    <p>
-      In the next example the problem is avoided by using a fixed template string
-      <code>s</code>
-      . Since, the template is not attacker controlled in this case, we prevent untrusted code execution.
-    </p>
-    <sample src="SSTIGood.java" />
-  </example>
-  <references>
-    <li>Portswigger : [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection)</li>
-  </references>
+<p>
+In the next example the problem is avoided by using a fixed template string <code>s</code>.
+Since the template's code is not attacker-controlled in this case, the untrusted code execution is prevented.
+</p>
+<sample src="SSTIGood.java" />
+</example>
+<references>
+<li>Portswigger: <a href="https://portswigger.net/web-security/server-side-template-injection">Server Side Template Injection</a></li>
+</references>
 </qhelp>

java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql

@@ -1,11 +1,12 @@
 /**
  * @name Server-side template injection
- * @description Untrusted input used as a template parameter can lead to remote code execution.
+ * @description Untrusted input interpreted as a template can lead to remote code execution.
  * @kind path-problem
  * @problem.severity error
  * @precision high
  * @id java/server-side-template-injection
  * @tags security
+ *       external/cwe/cwe-1336
  *       external/cwe/cwe-094
  */