Updated recommendations for avoiding JEXL injections

artem-smotrakov · web-flow · commit 7cc7ec962e8f · 2021-03-03T11:40:59.000+01:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjection.qhelp
@@ -14,8 +14,8 @@ and then evaluated, then it may allow the attacker to run arbitrary code.
 
 <recommendation>
 <p>
-Including untrusted input in a JEXL expression should be avoided. If it is not possible,
-JEXL expressions should be run in a sandbox that allows accessing only
+It is generally recommended to avoid using untrusted input in a JEXL expression.
+If it is not possible, JEXL expressions should be run in a sandbox that allows accessing only
 explicitly allowed classes.
 </p>
 </recommendation>
@@ -60,4 +60,4 @@ that checks if callees are instances of allowed classes.
   <a href="https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection">Expression Language Injection</a>.
 </li>
 </references>
-</qhelp>
+</qhelp>
