From e52b9671b2261f2c5a8063c3a1696367a4ae966c Mon Sep 17 00:00:00 2001 From: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> Date: Tue, 18 Oct 2022 16:03:10 +0200 Subject: [PATCH] Education text Fix (#1338) --- rules/S2076/csharp/how-to-fix-it/dotnet.adoc | 2 +- rules/S2076/java/how-to-fix-it/apache-commons.adoc | 2 +- rules/S2076/java/how-to-fix-it/java-se.adoc | 2 +- rules/S2078/csharp/how-to-fix-it/dotnet.adoc | 4 ++-- rules/S2078/java/how-to-fix-it/java-se.adoc | 4 ++-- rules/S2083/csharp/how-to-fix-it/dotnet.adoc | 4 ++-- rules/S2083/java/how-to-fix-it/java-se.adoc | 2 +- rules/S2091/csharp/how-to-fix-it/dotnet.adoc | 3 +-- rules/S2091/java/how-to-fix-it/java-se.adoc | 4 ++-- rules/S2631/csharp/how-to-fix-it/dotnet.adoc | 4 ++-- rules/S2631/java/how-to-fix-it/java-se.adoc | 4 ++-- rules/S3649/csharp/how-to-fix-it/dapper.adoc | 2 +- rules/S3649/csharp/how-to-fix-it/entity-framework.adoc | 2 +- rules/S3649/java/how-to-fix-it/hibernate.adoc | 2 +- rules/S3649/java/how-to-fix-it/java-se.adoc | 2 +- rules/S3649/java/how-to-fix-it/spring-jdbc.adoc | 2 +- rules/S5131/csharp/how-to-fix-it/asp.net.adoc | 3 +-- rules/S5131/csharp/how-to-fix-it/razor.adoc | 2 +- rules/S5131/java/how-to-fix-it/jsp.adoc | 2 +- rules/S5131/java/how-to-fix-it/servlet.adoc | 4 ++-- rules/S5131/java/how-to-fix-it/spring.adoc | 2 +- rules/S5131/java/how-to-fix-it/thymeleaf.adoc | 2 +- rules/S5131/javascript/how-to-fix-it/expressjs.adoc | 4 ++-- rules/S5131/php/how-to-fix-it/core.adoc | 8 ++++---- rules/S5131/php/how-to-fix-it/laravel.adoc | 4 ++-- rules/S5131/php/how-to-fix-it/symfony.adoc | 4 ++-- rules/S5131/python/how-to-fix-it/django.adoc | 4 ++-- rules/S5131/python/how-to-fix-it/dtl.adoc | 6 +++--- rules/S5131/python/how-to-fix-it/flask.adoc | 4 ++-- rules/S5131/python/how-to-fix-it/jinja.adoc | 4 ++-- rules/S5135/csharp/how-to-fix-it/dotnet.adoc | 2 +- rules/S5135/java/how-to-fix-it/java-se.adoc | 2 +- rules/S5144/csharp/how-to-fix-it/dotnet.adoc | 3 +-- rules/S5144/java/how-to-fix-it/java-se.adoc | 2 +- rules/S5145/csharp/how-to-fix-it/dotnet.adoc | 2 +- rules/S5145/java/how-to-fix-it/java-se.adoc | 2 +- rules/S5146/csharp/how-to-fix-it/dotnet.adoc | 3 +-- rules/S5146/java/how-to-fix-it/java-se.adoc | 2 +- rules/S5147/java/how-to-fix-it/mongo-java-driver.adoc | 4 ++-- rules/S5334/csharp/how-to-fix-it/dotnet.adoc | 2 +- rules/S5334/java/how-to-fix-it/commons-compiler.adoc | 2 +- rules/S5883/csharp/how-to-fix-it/dotnet.adoc | 2 +- rules/S5883/java/how-to-fix-it/apache-commons.adoc | 2 +- rules/S5883/java/how-to-fix-it/java-se.adoc | 2 +- rules/S6096/csharp/how-to-fix-it/dotnet.adoc | 2 +- rules/S6096/java/how-to-fix-it/java-se.adoc | 2 +- rules/S6287/csharp/how-to-fix-it/dotnet.adoc | 2 +- rules/S6287/java/how-to-fix-it/java-se.adoc | 2 +- 48 files changed, 67 insertions(+), 71 deletions(-) diff --git a/rules/S2076/csharp/how-to-fix-it/dotnet.adoc b/rules/S2076/csharp/how-to-fix-it/dotnet.adoc index ce89412964..6ba4a7375d 100644 --- a/rules/S2076/csharp/how-to-fix-it/dotnet.adoc +++ b/rules/S2076/csharp/how-to-fix-it/dotnet.adoc @@ -2,7 +2,7 @@ include::../../common/fix/code-rationale.adoc[] -==== Non-compliant code example +==== Noncompliant code example [source,csharp,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S2076/java/how-to-fix-it/apache-commons.adoc b/rules/S2076/java/how-to-fix-it/apache-commons.adoc index 19500fe797..977a1c0878 100644 --- a/rules/S2076/java/how-to-fix-it/apache-commons.adoc +++ b/rules/S2076/java/how-to-fix-it/apache-commons.adoc @@ -2,7 +2,7 @@ include::../../common/fix/code-rationale.adoc[] -==== Non-compliant code example +==== Noncompliant code example [source,java,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S2076/java/how-to-fix-it/java-se.adoc b/rules/S2076/java/how-to-fix-it/java-se.adoc index caa10ba6d0..e347bce1cc 100644 --- a/rules/S2076/java/how-to-fix-it/java-se.adoc +++ b/rules/S2076/java/how-to-fix-it/java-se.adoc @@ -2,7 +2,7 @@ include::../../common/fix/code-rationale.adoc[] -==== Non-compliant code example +==== Noncompliant code example [source,java,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S2078/csharp/how-to-fix-it/dotnet.adoc b/rules/S2078/csharp/how-to-fix-it/dotnet.adoc index 44444c00d6..0ded920ae1 100644 --- a/rules/S2078/csharp/how-to-fix-it/dotnet.adoc +++ b/rules/S2078/csharp/how-to-fix-it/dotnet.adoc @@ -1,9 +1,9 @@ === How to fix it in .NET -The following non-compliant code is vulnerable to LDAP injections because untrusted data is +The following noncompliant code is vulnerable to LDAP injections because untrusted data is concatenated in an LDAP query without prior validation. -==== Non-compliant code example +==== Noncompliant code example [source,csharp,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S2078/java/how-to-fix-it/java-se.adoc b/rules/S2078/java/how-to-fix-it/java-se.adoc index 7dcd051788..5ca83bd23a 100644 --- a/rules/S2078/java/how-to-fix-it/java-se.adoc +++ b/rules/S2078/java/how-to-fix-it/java-se.adoc @@ -1,9 +1,9 @@ === How to fix it in Java SE -The following non-compliant code is vulnerable to LDAP injections because untrusted data is +The following noncompliant code is vulnerable to LDAP injections because untrusted data is concatenated to an LDAP query without prior sanitization or validation. -==== Non-compliant code example +==== Noncompliant code example [source,java,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S2083/csharp/how-to-fix-it/dotnet.adoc b/rules/S2083/csharp/how-to-fix-it/dotnet.adoc index c3e5989a3e..cb275ab4fe 100644 --- a/rules/S2083/csharp/how-to-fix-it/dotnet.adoc +++ b/rules/S2083/csharp/how-to-fix-it/dotnet.adoc @@ -3,13 +3,13 @@ :canonicalization_function: System.IO.Path.GetFullPath include::../../common/fix/code-rationale.adoc[] -==== Non-compliant code example +==== Noncompliant code example [source,csharp,diff-id=1,diff-type=noncompliant] ---- public class ExampleController : Controller { - private static string TargetDirectory; + private static string TargetDirectory = "/path/to/target/directory/"; public void Example(string filename) { diff --git a/rules/S2083/java/how-to-fix-it/java-se.adoc b/rules/S2083/java/how-to-fix-it/java-se.adoc index 21cb971734..2eadedd2dc 100644 --- a/rules/S2083/java/how-to-fix-it/java-se.adoc +++ b/rules/S2083/java/how-to-fix-it/java-se.adoc @@ -3,7 +3,7 @@ :canonicalization_function: java.io.File.getCanonicalPath include::../../common/fix/code-rationale.adoc[] -==== Non-compliant code example +==== Noncompliant code example [source,java,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S2091/csharp/how-to-fix-it/dotnet.adoc b/rules/S2091/csharp/how-to-fix-it/dotnet.adoc index f9a86e88f4..dc143e60ed 100644 --- a/rules/S2091/csharp/how-to-fix-it/dotnet.adoc +++ b/rules/S2091/csharp/how-to-fix-it/dotnet.adoc @@ -2,7 +2,7 @@ The following code is vulnerable to XPath injections because untrusted data is concatenated in an XPath query without prior validation. -==== Non-compliant code example +==== Noncompliant code example [source,csharp,diff-id=1,diff-type=noncompliant] ---- @@ -17,7 +17,6 @@ public class ExampleController : Controller return Json(doc.SelectSingleNode(expression) != null); } - } ---- diff --git a/rules/S2091/java/how-to-fix-it/java-se.adoc b/rules/S2091/java/how-to-fix-it/java-se.adoc index f0dcc64e6c..a00fbb9518 100644 --- a/rules/S2091/java/how-to-fix-it/java-se.adoc +++ b/rules/S2091/java/how-to-fix-it/java-se.adoc @@ -1,9 +1,9 @@ === How to fix it in Java SE -The following non-compliant code is vulnerable to XPath injections because untrusted data is +The following noncompliant code is vulnerable to XPath injections because untrusted data is concatenated to an XPath query without prior validation. -==== Non-compliant code example +==== Noncompliant code example [source,java,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S2631/csharp/how-to-fix-it/dotnet.adoc b/rules/S2631/csharp/how-to-fix-it/dotnet.adoc index 7db09e4359..7a8f11998a 100644 --- a/rules/S2631/csharp/how-to-fix-it/dotnet.adoc +++ b/rules/S2631/csharp/how-to-fix-it/dotnet.adoc @@ -1,10 +1,10 @@ === How to fix it in .NET -The following non-compliant code is vulnerable to Regex Denial of Service +The following noncompliant code is vulnerable to Regex Denial of Service because untrusted data is used as a regex to scan a string without prior sanitization or validation. -==== Non-compliant code example +==== Noncompliant code example [source,csharp,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S2631/java/how-to-fix-it/java-se.adoc b/rules/S2631/java/how-to-fix-it/java-se.adoc index 4a20e7a9fd..1d481b1e05 100644 --- a/rules/S2631/java/how-to-fix-it/java-se.adoc +++ b/rules/S2631/java/how-to-fix-it/java-se.adoc @@ -1,10 +1,10 @@ === How to fix it in Java SE -The following non-compliant code is vulnerable to Regex Denial of Service +The following noncompliant code is vulnerable to Regex Denial of Service because untrusted data is used as a regex to scan a string without prior sanitization or validation. -==== Non-compliant code example +==== Noncompliant code example [source,java,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S3649/csharp/how-to-fix-it/dapper.adoc b/rules/S3649/csharp/how-to-fix-it/dapper.adoc index 34c71c564d..02ca7d8a99 100644 --- a/rules/S3649/csharp/how-to-fix-it/dapper.adoc +++ b/rules/S3649/csharp/how-to-fix-it/dapper.adoc @@ -2,7 +2,7 @@ include::../../common/fix/code-rationale.adoc[] -==== Non-compliant code example +==== Noncompliant code example [source,csharp,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S3649/csharp/how-to-fix-it/entity-framework.adoc b/rules/S3649/csharp/how-to-fix-it/entity-framework.adoc index 516989c1de..8b3077c91e 100644 --- a/rules/S3649/csharp/how-to-fix-it/entity-framework.adoc +++ b/rules/S3649/csharp/how-to-fix-it/entity-framework.adoc @@ -2,7 +2,7 @@ include::../../common/fix/code-rationale.adoc[] -==== Non-compliant code example +==== Noncompliant code example [source,csharp,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S3649/java/how-to-fix-it/hibernate.adoc b/rules/S3649/java/how-to-fix-it/hibernate.adoc index 863532e489..f3f14f2a25 100644 --- a/rules/S3649/java/how-to-fix-it/hibernate.adoc +++ b/rules/S3649/java/how-to-fix-it/hibernate.adoc @@ -2,7 +2,7 @@ include::../../common/fix/code-rationale.adoc[] -==== Non-compliant code example +==== Noncompliant code example [source,java,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S3649/java/how-to-fix-it/java-se.adoc b/rules/S3649/java/how-to-fix-it/java-se.adoc index 225a710637..52e05d531e 100644 --- a/rules/S3649/java/how-to-fix-it/java-se.adoc +++ b/rules/S3649/java/how-to-fix-it/java-se.adoc @@ -2,7 +2,7 @@ include::../../common/fix/code-rationale.adoc[] -==== Non-compliant code example +==== Noncompliant code example [source,java,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S3649/java/how-to-fix-it/spring-jdbc.adoc b/rules/S3649/java/how-to-fix-it/spring-jdbc.adoc index 2d74faa729..e8b9169789 100644 --- a/rules/S3649/java/how-to-fix-it/spring-jdbc.adoc +++ b/rules/S3649/java/how-to-fix-it/spring-jdbc.adoc @@ -2,7 +2,7 @@ include::../../common/fix/code-rationale.adoc[] -==== Non-compliant code example +==== Noncompliant code example [source,java,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S5131/csharp/how-to-fix-it/asp.net.adoc b/rules/S5131/csharp/how-to-fix-it/asp.net.adoc index 00ba0cb1ca..37146aaa2b 100644 --- a/rules/S5131/csharp/how-to-fix-it/asp.net.adoc +++ b/rules/S5131/csharp/how-to-fix-it/asp.net.adoc @@ -1,6 +1,6 @@ === How to fix it in ASP.NET -==== Non-compliant code example +==== Noncompliant code example [source,csharp,diff-id=1,diff-type=noncompliant] ---- @@ -29,7 +29,6 @@ public class HelloController : Controller { [HttpGet] public void Hello(string name, HttpResponse response) - { string html = "

Hello"+ HttpUtility.HtmlEncode(name) +"

" response.Write(html); diff --git a/rules/S5131/csharp/how-to-fix-it/razor.adoc b/rules/S5131/csharp/how-to-fix-it/razor.adoc index 06b1284e53..b48ce71617 100644 --- a/rules/S5131/csharp/how-to-fix-it/razor.adoc +++ b/rules/S5131/csharp/how-to-fix-it/razor.adoc @@ -3,7 +3,7 @@ The following code is vulnerable to cross-site scripting because auto-escaping of special HTML characters has been disabled. The recommended way to fix this code is to move the HTML content to the template and to only inject the dynamic value. Therefore, it is not necessary to disable auto-escaping. -==== Non-compliant code example +==== Noncompliant code example [source,csharp,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S5131/java/how-to-fix-it/jsp.adoc b/rules/S5131/java/how-to-fix-it/jsp.adoc index 30f1277e9f..895dab2de8 100644 --- a/rules/S5131/java/how-to-fix-it/jsp.adoc +++ b/rules/S5131/java/how-to-fix-it/jsp.adoc @@ -4,7 +4,7 @@ The following code is vulnerable to cross-site scripting because JSP does not au User input embedded in HTML code should be HTML-encoded to prevent the injection of additional code. This can be done with the https://owasp.org/www-project-java-encoder/[OWASP Java Encoder] or similar libraries. -==== Non-compliant code example +==== Noncompliant code example [source,html,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S5131/java/how-to-fix-it/servlet.adoc b/rules/S5131/java/how-to-fix-it/servlet.adoc index ab02f90733..bf08bf5694 100644 --- a/rules/S5131/java/how-to-fix-it/servlet.adoc +++ b/rules/S5131/java/how-to-fix-it/servlet.adoc @@ -5,7 +5,7 @@ The following code is vulnerable to cross-site scripting because it returns an H Third-party data, such as user input, is not to be trusted. If embedded in HTML code, it should be HTML-encoded to prevent the injection of additional code. This can be done with the https://owasp.org/www-project-java-encoder/[OWASP Java Encoder] or similar libraries. -==== Non-compliant code example +==== Noncompliant code example [source,java,diff-id=1,diff-type=noncompliant] ---- @@ -37,7 +37,7 @@ If you do not intend to send HTML code to clients, the vulnerability can be fixe For example, setting the content-type to `text/plain` with the `setContentType` function allows to safely reflect user input because browsers will not try to parse and execute the response. -==== Non-compliant code example +==== Noncompliant code example [source,java,diff-id=2,diff-type=noncompliant] ---- diff --git a/rules/S5131/java/how-to-fix-it/spring.adoc b/rules/S5131/java/how-to-fix-it/spring.adoc index 892f1479b1..ca216465da 100644 --- a/rules/S5131/java/how-to-fix-it/spring.adoc +++ b/rules/S5131/java/how-to-fix-it/spring.adoc @@ -5,7 +5,7 @@ The following code is vulnerable to cross-site scripting because it returns an H If you do not intend to send HTML code to clients, the vulnerability can be fixed by specifying the type of data returned in the response. For example, you can use the `produces` property of the `GetMapping` annotation. -==== Non-compliant code example +==== Noncompliant code example [source,java,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S5131/java/how-to-fix-it/thymeleaf.adoc b/rules/S5131/java/how-to-fix-it/thymeleaf.adoc index c685f1c0c9..e4dd8b811b 100644 --- a/rules/S5131/java/how-to-fix-it/thymeleaf.adoc +++ b/rules/S5131/java/how-to-fix-it/thymeleaf.adoc @@ -4,7 +4,7 @@ The following code is vulnerable to cross-site scripting. User input embedded in HTML code should be HTML-encoded to prevent the injection of additional code. -==== Non-compliant code example +==== Noncompliant code example [source,html,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S5131/javascript/how-to-fix-it/expressjs.adoc b/rules/S5131/javascript/how-to-fix-it/expressjs.adoc index 019c8883a5..295892dcd7 100644 --- a/rules/S5131/javascript/how-to-fix-it/expressjs.adoc +++ b/rules/S5131/javascript/how-to-fix-it/expressjs.adoc @@ -5,7 +5,7 @@ The following code is vulnerable to cross-site scripting because it returns an H If you do not intend to send HTML code to clients, the vulnerability can be fixed by specifying the type of data returned in the response. For example, you can use the `JsonResponse` class to safely return JSON messages. -==== Non-compliant code example +==== Noncompliant code example [source,javascript,diff-id=1,diff-type=noncompliant] ---- @@ -26,7 +26,7 @@ function (req, res) { It is also possible to set the content-type header manually using the `content_type` parameter when creating an `HttpResponse` object. -==== Non-compliant code example +==== Noncompliant code example [source,javascript,diff-id=2,diff-type=noncompliant] ---- diff --git a/rules/S5131/php/how-to-fix-it/core.adoc b/rules/S5131/php/how-to-fix-it/core.adoc index 8ba01cb33c..4a9140b73f 100644 --- a/rules/S5131/php/how-to-fix-it/core.adoc +++ b/rules/S5131/php/how-to-fix-it/core.adoc @@ -5,7 +5,7 @@ The following code is vulnerable to cross-site scripting because it returns an H User input embedded in HTML code should be HTML-encoded to prevent the injection of additional code. PHP provides the built-in function `htmlspecialchars` to do this. -==== Non-compliant code example +==== Noncompliant code example [source,php,diff-id=1,diff-type=noncompliant] ---- @@ -23,7 +23,7 @@ If you do not intend to send HTML code to clients, the vulnerability can be fixe For example, setting the content-type to `text/plain` using the built-in `header` function allows to safely reflect user input since browsers will not try to parse and execute the response. -==== Non-compliant code example +==== Noncompliant code example [source,php,diff-id=2,diff-type=noncompliant] ---- @@ -52,7 +52,7 @@ By default, `htmlspecialchars` does not encode single quotes, so if `++$input++` Make sure to set the option `ENT_QUOTES` to encode single quotes. -===== Non-compliant code example +===== Noncompliant code example [source,php,diff-id=3,diff-type=noncompliant] ---- @@ -72,7 +72,7 @@ If the HTTP body is sent before `header` is called, no headers will be sent to t To fix this issue, send the headers before any output. -===== Non-compliant code example +===== Noncompliant code example [source,php,diff-id=4,diff-type=noncompliant] ---- diff --git a/rules/S5131/php/how-to-fix-it/laravel.adoc b/rules/S5131/php/how-to-fix-it/laravel.adoc index 263eefdde5..be9f5756c9 100644 --- a/rules/S5131/php/how-to-fix-it/laravel.adoc +++ b/rules/S5131/php/how-to-fix-it/laravel.adoc @@ -5,7 +5,7 @@ The following code is vulnerable to cross-site scripting because it returns an H If you do not intend to send HTML code to clients, the vulnerability can be fixed by specifying the type of data returned in the response. For example, you can use the `json` method of the `Response` class to safely return JSON messages. -==== Non-compliant code example +==== Noncompliant code example [source,php,diff-id=1,diff-type=noncompliant] ---- @@ -21,7 +21,7 @@ $response = response()->json(['data' => $input]); It is also possible to set the content-type header manually using the `header` method of the `Response` class. -==== Non-compliant code example +==== Noncompliant code example [source,php,diff-id=2,diff-type=noncompliant] ---- diff --git a/rules/S5131/php/how-to-fix-it/symfony.adoc b/rules/S5131/php/how-to-fix-it/symfony.adoc index 01bfe4b482..4e37280dca 100644 --- a/rules/S5131/php/how-to-fix-it/symfony.adoc +++ b/rules/S5131/php/how-to-fix-it/symfony.adoc @@ -5,7 +5,7 @@ The following code is vulnerable to cross-site scripting because it returns an H If you do not intend to send HTML code to clients, the vulnerability can be fixed by specifying the type of data returned in the response. For example, you can use the class `JsonResponse` to return JSON messages safely. -==== Non-compliant code example +==== Noncompliant code example [source,php,diff-id=1,diff-type=noncompliant] ---- @@ -26,7 +26,7 @@ $response = new JsonResponse(['data' => $input]); It is also possible to set the content-type manually using the `headers` attribute. -==== Non-compliant code example +==== Noncompliant code example [source,php,diff-id=2,diff-type=noncompliant] ---- diff --git a/rules/S5131/python/how-to-fix-it/django.adoc b/rules/S5131/python/how-to-fix-it/django.adoc index b52a1f091c..57af1fe029 100644 --- a/rules/S5131/python/how-to-fix-it/django.adoc +++ b/rules/S5131/python/how-to-fix-it/django.adoc @@ -5,7 +5,7 @@ The following code is vulnerable to cross-site scripting because it returns an H If you do not intend to send HTML code to clients, the vulnerability can be fixed by specifying the type of data returned in the response. For example, you can use the `JsonResponse` class to return JSON messages securely. -==== Non-compliant code example +==== Noncompliant code example [source,python,diff-id=1,diff-type=noncompliant] ---- @@ -30,7 +30,7 @@ def index(request): It is also possible to set the content-type manually with the `content_type` parameter when creating an `HttpResponse` object. -==== Non-compliant code example +==== Noncompliant code example [source,python,diff-id=2,diff-type=noncompliant] ---- diff --git a/rules/S5131/python/how-to-fix-it/dtl.adoc b/rules/S5131/python/how-to-fix-it/dtl.adoc index 6539c606ee..492a6079d7 100644 --- a/rules/S5131/python/how-to-fix-it/dtl.adoc +++ b/rules/S5131/python/how-to-fix-it/dtl.adoc @@ -2,7 +2,7 @@ The following code is vulnerable to cross-site scripting because auto-escaping of special HTML characters has been disabled. The recommended way to fix this code is to move the HTML content to the template and to only inject the dynamic value. Therefore, it is not necessary to disable auto-escaping. -==== Non-compliant code example +==== Noncompliant code example [source,python,diff-id=1,diff-type=noncompliant] ---- @@ -51,7 +51,7 @@ Django template auto-escaping only takes care of HTML entity encoding. It does n Auto-escaping can also be disabled at the application level and introduce XSS vulnerabilities even if `++{% autoescape false %}++` or `++|safe++` are not used. -==== Non-compliant code example +==== Noncompliant code example [source,python,diff-id=3,diff-type=noncompliant] ---- @@ -92,7 +92,7 @@ In such a case it is better to add the value to an attribute. Another option is to use the `++json_script++` filter to insert a data structure that can then be accessed through the JavaScript code. -===== Non-compliant code example +===== Noncompliant code example [source,html,diff-id=4,diff-type=noncompliant] ---- diff --git a/rules/S5131/python/how-to-fix-it/flask.adoc b/rules/S5131/python/how-to-fix-it/flask.adoc index a2cab759f9..1c647f8601 100644 --- a/rules/S5131/python/how-to-fix-it/flask.adoc +++ b/rules/S5131/python/how-to-fix-it/flask.adoc @@ -5,7 +5,7 @@ The following code is vulnerable to cross-site scripting because it returns an H If you do not intend to send HTML code to clients, the vulnerability can be fixed by specifying the type of data returned in the response. For example, you can use the `jsonify` class to return JSON messages safely. -==== Non-compliant code example +==== Noncompliant code example [source,python,diff-id=1,diff-type=noncompliant] ---- @@ -31,7 +31,7 @@ def index(): It is also possible to set the content-type manually with the `mimetype` parameter when calling the `make_response` function. -==== Non-compliant code example +==== Noncompliant code example [source,python,diff-id=2,diff-type=noncompliant] ---- diff --git a/rules/S5131/python/how-to-fix-it/jinja.adoc b/rules/S5131/python/how-to-fix-it/jinja.adoc index 7d0b2a4e2e..de6c345626 100644 --- a/rules/S5131/python/how-to-fix-it/jinja.adoc +++ b/rules/S5131/python/how-to-fix-it/jinja.adoc @@ -3,7 +3,7 @@ The following code is vulnerable to cross-site scripting because auto-escaping of special HTML characters has been disabled. The recommended way to fix this code is to move the HTML content to the template and to only inject the dynamic value. Therefore, it is not necessary to disable auto-escaping. -==== Non-compliant code example +==== Noncompliant code example [source,python,diff-id=1,diff-type=noncompliant] ---- @@ -56,7 +56,7 @@ Although auto-escaping drastically decreases the chance of introducing cross-sit Injecting user-controlled values inside a ``++script++`` is dangerous. In such a case, the best practice is to add the value to an attribute. Another option is to use the ``++tojson++`` filter to insert a data structure in the JavaScript code at render time. -===== Non-compliant code example +===== Noncompliant code example [source,html,diff-id=3,diff-type=noncompliant] ---- diff --git a/rules/S5135/csharp/how-to-fix-it/dotnet.adoc b/rules/S5135/csharp/how-to-fix-it/dotnet.adoc index 03472e5f9f..0a7acf0d57 100644 --- a/rules/S5135/csharp/how-to-fix-it/dotnet.adoc +++ b/rules/S5135/csharp/how-to-fix-it/dotnet.adoc @@ -3,7 +3,7 @@ The following code is vulnerable to deserialization attacks because it deserializes HTTP data without validating it first. -==== Non-compliant code example +==== Noncompliant code example [source,csharp,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S5135/java/how-to-fix-it/java-se.adoc b/rules/S5135/java/how-to-fix-it/java-se.adoc index f0f39d1a3f..23ce62e57f 100644 --- a/rules/S5135/java/how-to-fix-it/java-se.adoc +++ b/rules/S5135/java/how-to-fix-it/java-se.adoc @@ -3,7 +3,7 @@ The following code is vulnerable to deserialization attacks because it deserializes HTTP data without validating it first. -==== Non-compliant code example +==== Noncompliant code example [source,java,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S5144/csharp/how-to-fix-it/dotnet.adoc b/rules/S5144/csharp/how-to-fix-it/dotnet.adoc index c6115e4e58..035ab1682b 100644 --- a/rules/S5144/csharp/how-to-fix-it/dotnet.adoc +++ b/rules/S5144/csharp/how-to-fix-it/dotnet.adoc @@ -2,7 +2,7 @@ include::../../common/fix/code-rationale.adoc[] -==== Non-compliant code example +==== Noncompliant code example [source,csharp,diff-id=1,diff-type=noncompliant] ---- @@ -34,7 +34,6 @@ public class ExampleController : Controller [HttpGet] public IActionResult ImageFetch(string location) - { Uri uri = new Uri(location); diff --git a/rules/S5144/java/how-to-fix-it/java-se.adoc b/rules/S5144/java/how-to-fix-it/java-se.adoc index 8947787405..9f1b8e589c 100644 --- a/rules/S5144/java/how-to-fix-it/java-se.adoc +++ b/rules/S5144/java/how-to-fix-it/java-se.adoc @@ -2,7 +2,7 @@ include::../../common/fix/code-rationale.adoc[] -==== Non-compliant code example +==== Noncompliant code example [source,java,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S5145/csharp/how-to-fix-it/dotnet.adoc b/rules/S5145/csharp/how-to-fix-it/dotnet.adoc index 6c4fca443b..f6e1386d2e 100644 --- a/rules/S5145/csharp/how-to-fix-it/dotnet.adoc +++ b/rules/S5145/csharp/how-to-fix-it/dotnet.adoc @@ -2,7 +2,7 @@ include::../../common/fix/code-rationale.adoc[] -==== Non-compliant code example +==== Noncompliant code example [source,csharp,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S5145/java/how-to-fix-it/java-se.adoc b/rules/S5145/java/how-to-fix-it/java-se.adoc index d0ff4ccd15..0df2e6e4a2 100644 --- a/rules/S5145/java/how-to-fix-it/java-se.adoc +++ b/rules/S5145/java/how-to-fix-it/java-se.adoc @@ -2,7 +2,7 @@ include::../../common/fix/code-rationale.adoc[] -==== Non-compliant code example +==== Noncompliant code example [source,java,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S5146/csharp/how-to-fix-it/dotnet.adoc b/rules/S5146/csharp/how-to-fix-it/dotnet.adoc index 67331bb4cc..b34d0f503c 100644 --- a/rules/S5146/csharp/how-to-fix-it/dotnet.adoc +++ b/rules/S5146/csharp/how-to-fix-it/dotnet.adoc @@ -2,7 +2,7 @@ include::../../common/fix/code-rationale.adoc[] -==== Non-compliant code example +==== Noncompliant code example [source,csharp,diff-id=1,diff-type=noncompliant] ---- @@ -32,7 +32,6 @@ public class ExampleController : Controller [HttpGet] public void Redirect(string url) - { if (allowedUrls.Contains(url)) { diff --git a/rules/S5146/java/how-to-fix-it/java-se.adoc b/rules/S5146/java/how-to-fix-it/java-se.adoc index d94fbbdba3..d55a6975da 100644 --- a/rules/S5146/java/how-to-fix-it/java-se.adoc +++ b/rules/S5146/java/how-to-fix-it/java-se.adoc @@ -2,7 +2,7 @@ include::../../common/fix/code-rationale.adoc[] -==== Non-compliant code example +==== Noncompliant code example [source,java,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S5147/java/how-to-fix-it/mongo-java-driver.adoc b/rules/S5147/java/how-to-fix-it/mongo-java-driver.adoc index 9f453fec4c..4391f9d298 100644 --- a/rules/S5147/java/how-to-fix-it/mongo-java-driver.adoc +++ b/rules/S5147/java/how-to-fix-it/mongo-java-driver.adoc @@ -4,7 +4,7 @@ The following code is vulnerable to NoSQL injections because untrusted data is concatenated to the `$where` operator. This operator indicates to the backend that the expression needs to be interpreted, resulting in code injection. -==== Non-compliant code example +==== Noncompliant code example [source,java,diff-id=1,diff-type=noncompliant] ---- @@ -18,7 +18,7 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws Un String input = req.getParameter("input"); MongoClient mongoClient = new MongoClient(); - DB database = mongoClient.getDB("exampleDatabase"); + DB database = mongoClient.getDB("ExampleDatabase"); DBCollection collection = database.getCollection("exampleCollection"); BasicDBObject query = new BasicDBObject(); diff --git a/rules/S5334/csharp/how-to-fix-it/dotnet.adoc b/rules/S5334/csharp/how-to-fix-it/dotnet.adoc index 2a4a081495..55c016f260 100644 --- a/rules/S5334/csharp/how-to-fix-it/dotnet.adoc +++ b/rules/S5334/csharp/how-to-fix-it/dotnet.adoc @@ -3,7 +3,7 @@ The following code is vulnerable to arbitrary code execution because it compiles and runs HTTP data. -==== Non-compliant code example +==== Noncompliant code example [source,csharp,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S5334/java/how-to-fix-it/commons-compiler.adoc b/rules/S5334/java/how-to-fix-it/commons-compiler.adoc index 312214fc0b..8192b67eaa 100644 --- a/rules/S5334/java/how-to-fix-it/commons-compiler.adoc +++ b/rules/S5334/java/how-to-fix-it/commons-compiler.adoc @@ -3,7 +3,7 @@ The following code is vulnerable to arbitrary code execution because it compiles and runs HTTP data. -==== Non-compliant code example +==== Noncompliant code example [source,java,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S5883/csharp/how-to-fix-it/dotnet.adoc b/rules/S5883/csharp/how-to-fix-it/dotnet.adoc index 240b3708bf..57c4bb8d9b 100644 --- a/rules/S5883/csharp/how-to-fix-it/dotnet.adoc +++ b/rules/S5883/csharp/how-to-fix-it/dotnet.adoc @@ -15,7 +15,7 @@ In this particular case, an attacker may remove files in `/some/folder` with the '*' -exec rm -rf {} \; ---- -==== Non-compliant code example +==== Noncompliant code example [source,csharp,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S5883/java/how-to-fix-it/apache-commons.adoc b/rules/S5883/java/how-to-fix-it/apache-commons.adoc index d3af6ec40b..4c49631f25 100644 --- a/rules/S5883/java/how-to-fix-it/apache-commons.adoc +++ b/rules/S5883/java/how-to-fix-it/apache-commons.adoc @@ -2,7 +2,7 @@ include::../../common/fix/code-rationale.adoc[] -==== Non-compliant code example +==== Noncompliant code example [source,java,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S5883/java/how-to-fix-it/java-se.adoc b/rules/S5883/java/how-to-fix-it/java-se.adoc index 9698ba02c2..9d7f69b183 100644 --- a/rules/S5883/java/how-to-fix-it/java-se.adoc +++ b/rules/S5883/java/how-to-fix-it/java-se.adoc @@ -2,7 +2,7 @@ include::../../common/fix/code-rationale.adoc[] -==== Non-compliant code example +==== Noncompliant code example [source,java,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S6096/csharp/how-to-fix-it/dotnet.adoc b/rules/S6096/csharp/how-to-fix-it/dotnet.adoc index 830475bfed..03945f24c0 100644 --- a/rules/S6096/csharp/how-to-fix-it/dotnet.adoc +++ b/rules/S6096/csharp/how-to-fix-it/dotnet.adoc @@ -5,7 +5,7 @@ include::../../common/fix/code-rationale.adoc[] -==== Non-compliant code example +==== Noncompliant code example [source,csharp,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S6096/java/how-to-fix-it/java-se.adoc b/rules/S6096/java/how-to-fix-it/java-se.adoc index 855084745b..55a1cd20cc 100644 --- a/rules/S6096/java/how-to-fix-it/java-se.adoc +++ b/rules/S6096/java/how-to-fix-it/java-se.adoc @@ -5,7 +5,7 @@ include::../../common/fix/code-rationale.adoc[] -==== Non-compliant code example +==== Noncompliant code example [source,java,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S6287/csharp/how-to-fix-it/dotnet.adoc b/rules/S6287/csharp/how-to-fix-it/dotnet.adoc index 44da501eb5..4ee8b77a68 100644 --- a/rules/S6287/csharp/how-to-fix-it/dotnet.adoc +++ b/rules/S6287/csharp/how-to-fix-it/dotnet.adoc @@ -2,7 +2,7 @@ include::../../common/fix/code-rationale.adoc[] -==== Non-compliant code example +==== Noncompliant code example [source,csharp,diff-id=1,diff-type=noncompliant] ---- diff --git a/rules/S6287/java/how-to-fix-it/java-se.adoc b/rules/S6287/java/how-to-fix-it/java-se.adoc index 3a4c1bc239..5d506f6fec 100644 --- a/rules/S6287/java/how-to-fix-it/java-se.adoc +++ b/rules/S6287/java/how-to-fix-it/java-se.adoc @@ -2,7 +2,7 @@ include::../../common/fix/code-rationale.adoc[] -==== Non-compliant code example +==== Noncompliant code example [source,java,diff-id=1,diff-type=noncompliant] ----