Update python/ql/lib/semmle/python/security/dataflow/LogInjectionCustomizations.qll

Co-authored-by: Rasmus Wriedt Larsen <[email protected]>

Author: yoff

python/ql/lib/semmle/python/security/dataflow/LogInjectionCustomizations.qll

@@ -57,11 +57,14 @@ module LogInjection {
    * A call to replace line breaks, considered as a sanitizer.
    */
   class ReplaceLineBreaksSanitizer extends Sanitizer, DataFlow::CallCfgNode {
-    // This is actually not safe:
+    // Note: This sanitizer is not 100% accurate, since:
     // - we do not check that all kinds of line breaks are replaced
     // - we do not check that one kind of line breaks is not replaced by another
-    // however, we lack a simple way to do better, and the query would likely
-    // be too noisy without this. Consider rewriting using flow states.
+    //
+    // However, we lack a simple way to do better, and the query would likely
+    // be too noisy without this. 
+    //
+    // TODO: Consider rewriting using flow states.
     ReplaceLineBreaksSanitizer() {
       this.getFunction().(DataFlow::AttrRead).getAttributeName() = "replace" and
       this.getArg(0).asExpr().(StrConst).getText() in ["\r\n", "\n"]