Make qhelp for 'Incomplete URL substring sanitization' consistent across languages.

markshannon · markshannon · commit 3850f878793f · 2019-01-25T16:47:23.000Z
diff --git a/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp b/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp
@@ -15,9 +15,9 @@
 
 		<p>
 
-			However, it is notoriously error-prone to treat the URL as
-			a string and check if one of the allowed hosts is a substring of the
-			URL. Malicious URLs can bypass such security checks by embedding one
+			However, treating the URL as a string and checking if one of the
+			allowed hosts is a substring of the URL is very prone to errors.
+			Malicious URLs can bypass such security checks by embedding one
 			of the allowed hosts in an unexpected location.
 
 		</p>
diff --git a/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp b/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qhelp
@@ -14,10 +14,9 @@
         </p>
 
         <p>
-
-            However, it is notoriously error-prone to treat the URL as
-            a string and check if one of the allowed hosts is a substring of the
-            URL. Malicious URLs can bypass such security checks by embedding one
+            However, treating the URL as a string and checking if one of the
+            allowed hosts is a substring of the URL is very prone to errors.
+            Malicious URLs can bypass such security checks by embedding one
             of the allowed hosts in an unexpected location.
 
         </p>
