JS: Normalize whitespace

asger-semmle · asger-semmle · commit 778244878ad6 · 2019-05-14T10:31:28.000+01:00
diff --git a/javascript/ql/src/Security/CWE-400/PrototypePollution.qhelp b/javascript/ql/src/Security/CWE-400/PrototypePollution.qhelp
@@ -4,38 +4,38 @@
 <qhelp>
 
 <overview>
-	<p>
+  <p>
     Most JavaScript objects inherit the properties of the built-in <code>Object.prototype</code> object.
     If an attacker is be able to modify <code>Object.prototype</code>, they can tamper with the
     application logic and often escalate to remote code execution or cross-site scripting.
-	</p>
+  </p>
 
-	<p>
+  <p>
     One way to cause prototype pollution is through use of an unsafe <em>merge</em> or <em>extend</em> function
     to recursively copy properties from an untrusted source object.
     Such a call can modify any object reachable from the destination object, and
     the built-in <code>Object.prototype</code> is usually reachable through the special properties
     <code>__proto__</code> and <code>constructor.prototype</code>.
     An attacker can abuse this by sending an object with these property names and thereby modify <code>Object.prototype</code>.
-	</p>
+  </p>
 </overview>
 
 <recommendation>
-	<p>
+  <p>
     Update your library dependencies in order to use a safe version of the <em>merge</em> or <em>extend</em> function.
     If you library has no fixed version, switch to another library.
-	</p>
+  </p>
 </recommendation>
 
 <example>
-	<p>
+  <p>
     In the example below, the untrusted value <code>req.query.prefs</code> is parsed as JSON
     and then copied into a new object:
-	</p>
+  </p>
 
   <sample src="examples/PrototypePollution1.js"/>
 
-	<p>
+  <p>
     Prior to lodash 4.17.11 this would be vulnerable to prototype pollution. An attacker could send
     the value <code>{"constructor": {"prototype": {"xxx": true}}}</code> to inject <code>xxx</code>
     in <code>Object.prototype</code>.
@@ -55,15 +55,15 @@
 </example>
 
 <references>
-	<li>Prototype pollution attacks:
-		<a href="https://hackerone.com/reports/380873">lodash</a>,
+  <li>Prototype pollution attacks:
+    <a href="https://hackerone.com/reports/380873">lodash</a>,
     <a href="https://hackerone.com/reports/454365">jQuery</a>,
     <a href="https://hackerone.com/reports/381185">extend</a>,
     <a href="https://hackerone.com/reports/430291">just-extend</a>,
     <a href="https://hackerone.com/reports/381194">merge.recursive</a>,
-	</li>
-	<li>Express:
-		<a href="https://expressjs.com/en/api.html#express.urlencoded">urlencoded()</a>
-	</li>
+  </li>
+  <li>Express:
+    <a href="https://expressjs.com/en/api.html#express.urlencoded">urlencoded()</a>
+  </li>
 </references>
 </qhelp>
