Skip to content

Commit c98dacf

Browse files
committed
changes based on doc review
1 parent c50951c commit c98dacf

File tree

2 files changed

+5
-5
lines changed

2 files changed

+5
-5
lines changed

javascript/ql/src/Security/CWE-117/LogInjection.qhelp

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -18,20 +18,20 @@ arbitrary HTML may be included to spoof log entries.</p>
1818
User input should be suitably sanitized before it is logged.
1919
</p>
2020
<p>
21-
If the log entries are plain text then line breaks should be removed from user input, using
21+
If the log entries are in plain text then line breaks should be removed from user input, using
2222
<code>String.prototype.replace</code> or similar. Care should also be taken that user input is clearly marked
23-
in log entries, and that a malicious user cannot cause confusion in other ways.
23+
in log entries.
2424
</p>
2525
<p>
26-
For log entries that will be displayed in HTML, user input should be HTML encoded before being logged, to prevent forgery and
26+
For log entries that will be displayed in HTML, user input should be HTML-encoded before being logged, to prevent forgery and
2727
other forms of HTML injection.
2828
</p>
2929

3030
</recommendation>
3131

3232
<example>
3333
<p>In the first example, a username, provided by the user, is logged using `console.info`. In
34-
the first case, it is logged without any sanitization. In the second case the username is used to build an error that is logged using `console.error`.
34+
the first case, it is logged without any sanitization. In the second case, the username is used to build an error that is logged using `console.error`.
3535
If a malicious user provides `username=Guest%0a[INFO]+User:+Admin%0a` as a username parameter,
3636
the log entry will be splitted in two different lines, where the second line will be `[INFO]+User:+Admin`.
3737
</p>

javascript/ql/src/Security/CWE-117/LogInjection.ql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/**
2-
* @name Log Injection
2+
* @name Log injection
33
* @description Building log entries from user-controlled sources is vulnerable to
44
* insertion of forged log entries by a malicious user.
55
* @kind path-problem

0 commit comments

Comments
 (0)