Merge pull request #300 from srt32/patch-1

Sauyon Lee · web-flow · commit 402b2395203c · 2020-08-24T08:57:26.000-07:00
Update bad / good message for CWE 079
diff --git a/ql/src/Security/CWE-079/ReflectedXssGood.go b/ql/src/Security/CWE-079/ReflectedXssGood.go
@@ -11,7 +11,7 @@ func serve1() {
 		r.ParseForm()
 		username := r.Form.Get("username")
 		if !isValidUsername(username) {
-			// BAD: a request parameter is incorporated without validation into the response
+			// GOOD: a request parameter is escaped before being put into the response
 			fmt.Fprintf(w, "%q is an unknown user", html.EscapeString(username))
 		} else {
 			// TODO: do something exciting
diff --git a/ql/test/query-tests/Security/CWE-079/ReflectedXssGood.go b/ql/test/query-tests/Security/CWE-079/ReflectedXssGood.go
@@ -11,7 +11,7 @@ func serve1() {
 		r.ParseForm()
 		username := r.Form.Get("username")
 		if !isValidUsername(username) {
-			// BAD: a request parameter is incorporated without validation into the response
+			// GOOD: a request parameter is escaped before being put into the response
 			fmt.Fprintf(w, "%q is an unknown user", html.EscapeString(username))
 		} else {
 			// TODO: do something exciting
