fix typo, the variable in the example is called items

erik-krogh · erik-krogh · commit 7a338c408e6c · 2023-05-15T17:23:40.000+02:00
diff --git a/javascript/ql/src/Security/CWE-915/PrototypePollutingAssignment.inc.qhelp b/javascript/ql/src/Security/CWE-915/PrototypePollutingAssignment.inc.qhelp
@@ -35,8 +35,8 @@
   <p>
     In the example below, the untrusted value <code>req.params.id</code> is used as the property name
     <code>req.session.todos[id]</code>. If a malicious user passes in the ID value <code>__proto__</code>,
-    the variable <code>todo</code> will then refer to <code>Object.prototype</code>.
-    Finally, the modification of <code>todo</code> then allows the attacker to inject arbitrary properties
+    the variable <code>items</code> will then refer to <code>Object.prototype</code>.
+    Finally, the modification of <code>items</code> then allows the attacker to inject arbitrary properties
     onto <code>Object.prototype</code>.
   </p>
 
