JS: Factor out <recommendation> part of qhelp

asgerf · asgerf · commit 3496ae131b50 · 2022-02-17T09:07:08.000+01:00
diff --git a/javascript/ql/src/Security/CWE-918/ClientSideRequestForgery.qhelp b/javascript/ql/src/Security/CWE-918/ClientSideRequestForgery.qhelp
@@ -19,24 +19,7 @@
         </p>
     </overview>
 
-    <recommendation>
-
-        <p>
-            Restrict user inputs in the URL of an outgoing request, in particular:
-            <ul>
-                <li>
-                    Avoid user input in the hostname of the URL.
-                    Pick the hostname from an allow-list instead of constructing it directly from user input.
-                </li>
-                <li>
-                    Take care when user input is part of the pathname of the URL.
-                    Restrict the input so that path traversal ("<code>../<code>")
-                    cannot be used to redirect the request to an unintended endpoint.
-                </li>
-            </ul>
-        </p>
-
-    </recommendation>
+    <include src="RequestForgeryRecommendation.inc.qhelp"/>
 
     <example>
 
diff --git a/javascript/ql/src/Security/CWE-918/RequestForgery.qhelp b/javascript/ql/src/Security/CWE-918/RequestForgery.qhelp
@@ -20,24 +20,7 @@
         </p>
     </overview>
 
-    <recommendation>
-
-        <p>
-            Restrict user inputs in the URL of an outgoing request, in particular:
-            <ul>
-                <li>
-                    Avoid user input in the hostname of the URL.
-                    Pick the hostname from an allow-list instead of constructing it directly from user input.
-                </li>
-                <li>
-                    Take care when user input is part of the pathname of the URL.
-                    Restrict the input so that path traversal ("<code>../<code>")
-                    cannot be used to redirect the request to an unintended endpoint.
-                </li>
-            </ul>
-        </p>
-
-    </recommendation>
+    <include src="RequestForgeryRecommendation.inc.qhelp"/>
 
     <example>
 
diff --git a/javascript/ql/src/Security/CWE-918/RequestForgeryRecommendation.inc.qhelp b/javascript/ql/src/Security/CWE-918/RequestForgeryRecommendation.inc.qhelp
@@ -0,0 +1,25 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+    <recommendation>
+
+        <p>
+            Restrict user inputs in the URL of an outgoing request, in particular:
+        </p>
+        <ul>
+            <li>
+                Avoid user input in the hostname of the URL.
+                Pick the hostname from an allow-list instead of constructing it directly from user input.
+            </li>
+            <li>
+                Take care when user input is part of the pathname of the URL.
+                Restrict the input so that path traversal ("<code>../</code>")
+                cannot be used to redirect the request to an unintended endpoint.
+            </li>
+        </ul>
+
+    </recommendation>
+
+</qhelp>
