Merge pull request github#1726 from xiemaisi/js/help-fixes

semmle-qlci · web-flow · commit 0bf9529bc9a9 · 2019-08-12T11:41:36.000+01:00
Approved by esben-semmle
diff --git a/javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.qhelp b/javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.qhelp
@@ -47,9 +47,8 @@
 		<p>
 
 			The check with the regular expression match is, however, easy to bypass. For example
-			by embedding <code>example.com</code> in the path component:
-			<code>http://evil-example.net/example.com</code>, or in the query
-			string component: <code>http://evil-example.net/?x=example.com</code>.
+			by embedding <code>http://example.com/</code> in the query
+			string component: <code>http://evil-example.net/?x=http://example.com/</code>.
 
 			Address these shortcomings by using anchors in the regular expression instead:
 
diff --git a/javascript/ql/src/Security/CWE-022/TaintedPath.qhelp b/javascript/ql/src/Security/CWE-022/TaintedPath.qhelp
@@ -41,7 +41,7 @@ However, a malicious user could enter a file name which is an absolute path, suc
 In the second example, it appears that the user is restricted to opening a file within the
 <code>"user"</code> home directory. However, a malicious user could enter a file name containing
 special characters. For example, the string <code>"../../etc/passwd"</code> will result in the code
-reading the file located at <code>"/home/[user]/../../etc/passwd"</code>, which is the system's
+reading the file located at <code>"/home/user/../../etc/passwd"</code>, which is the system's
 password file. This file would then be sent back to the user, giving them access to all the
 system's passwords.
 </p>
