JS: fixup documentation

esbena · esbena · commit 58b5bd5cfd60 · 2020-04-24T10:56:53.000+02:00
diff --git a/javascript/ql/src/Security/CWE-116/IncompleteHtmlAttributeSanitization.qhelp b/javascript/ql/src/Security/CWE-116/IncompleteHtmlAttributeSanitization.qhelp
@@ -30,8 +30,13 @@
 
 	<recommendation>
 
-		Sanitize all relevant HTML meta-characters when constructing
-		HTML dynamically, pay special attention to where the sanitized value is used.
+		<p>
+
+			Sanitize all relevant HTML meta-characters when
+			constructing HTML dynamically, and pay special attention to where the
+			sanitized value is used.
+
+		</p>
 
 	</recommendation>
 
@@ -75,8 +80,7 @@
 		</li>
 		<li>
 			OWASP
-			<a href="https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting">Types of Cross-Site
-			Scripting</a>.
+			<a href="https://owasp.org/www-community/Types_of_Cross-Site_Scripting">Types of Cross-Site</a>.
 		</li>
 		<li>
 			Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
diff --git a/javascript/ql/src/Security/CWE-116/IncompleteHtmlAttributeSanitization.ql b/javascript/ql/src/Security/CWE-116/IncompleteHtmlAttributeSanitization.ql
@@ -1,7 +1,7 @@
 /**
  * @name Incomplete HTML attribute sanitization
  * @description Writing incompletely sanitized values to HTML
- *              attribute strings  can lead to a cross-site
+ *              attribute strings can lead to a cross-site
  *              scripting vulnerability.
  * @kind path-problem
  * @problem.severity warning
diff --git a/javascript/ql/src/Security/CWE-116/examples/IncompleteHtmlAttributeSanitization.js b/javascript/ql/src/Security/CWE-116/examples/IncompleteHtmlAttributeSanitization.js
@@ -3,7 +3,7 @@ var app = require('express')();
 app.get('/user/:id', function(req, res) {
 	let id = req.params.id;
 	id = id.replace(/<|>/g, ""); // BAD
-	let userHtml = `<div data-id="${id}">${getUserName(id)} || Unknown name</div>`;
+	let userHtml = `<div data-id="${id}">${getUserName(id) || "Unknown name"}</div>`;
 	// ...
 	res.send(prefix + userHtml + suffix);
 });
diff --git a/javascript/ql/src/Security/CWE-116/examples/IncompleteHtmlAttributeSanitizationGood.js b/javascript/ql/src/Security/CWE-116/examples/IncompleteHtmlAttributeSanitizationGood.js
@@ -3,7 +3,7 @@ var app = require('express')();
 app.get('/user/:id', function(req, res) {
 	let id = req.params.id;
 	id = id.replace(/<|>|&|"/g, ""); // GOOD
-	let userHtml = `<div data-id="${id}">${getUserName(id)} || Unknown name</div>`;
+	let userHtml = `<div data-id="${id}">${getUserName(id) || "Unknown name"}</div>`;
 	// ...
 	res.send(prefix + userHtml + suffix);
 });
