move md links to <a>

Alvaro Muñoz · pwntester · commit 6ca28a8bc690 · 2020-10-27T15:47:54.000+01:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/InsecureBeanValidation.qhelp b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureBeanValidation.qhelp
@@ -4,9 +4,11 @@
 <qhelp>
 
 <overview>
-<p>Bean validation custom constraint error messages support different types of interpolation, including [Java EL expressions](https://docs.jboss.org/hibernate/validator/5.1/reference/en-US/html/chapter-message-interpolation.html#section-interpolation-with-message-expressions).
-Controlling part of the error message template being passed to `ConstraintValidatorContext.buildConstraintViolationWithTemplate()` argument will lead to arbitrary Java code execution.
-Unfortunately, it is common that validated (and therefore, normally untrusted) bean properties flow into the custom error message.</p>
+<p>Bean validation custom constraint error messages support different types of interpolation, 
+including <a href="https://docs.jboss.org/hibernate/validator/5.1/reference/en-US/html/chapter-message-interpolation.html#section-interpolation-with-message-expressions">Java EL expressions</a>.
+Controlling part of the message template being passed to `ConstraintValidatorContext.buildConstraintViolationWithTemplate()`
+argument will lead to arbitrary Java code execution. Unfortunately, it is common that validated (and therefore, normally 
+untrusted) bean properties flow into the custom error message.</p>
 </overview>
 
 <recommendation>
@@ -18,7 +20,8 @@ HibernateConstraintValidatorContext context = constraintValidatorContext.unwrap(
 context.addMessageParameter( "foo", "bar" );
 context.buildConstraintViolationWithTemplate( "My violation message contains a parameter {foo}").addConstraintViolation();
 ```
-<li>Sanitize the validated bean properties to make sure that there are no EL expressions. An example of valid sanitization logic can be found [here](https://github.com/hibernate/hibernate-validator/blob/master/engine/src/main/java/org/hibernate/validator/internal/engine/messageinterpolation/util/InterpolationHelper.java#L17).
+<li>Sanitize the validated bean properties to make sure that there are no EL expressions. An example of valid sanitization 
+logic can be found <a href="https://github.com/hibernate/hibernate-validator/blob/master/engine/src/main/java/org/hibernate/validator/internal/engine/messageinterpolation/util/InterpolationHelper.java#L17">here</a>.
 - Disable the EL interpolation and only use `ParameterMessageInterpolator`:</li>
 ``` java
 Validator validator = Validation.byDefaultProvider()
@@ -27,7 +30,8 @@ Validator validator = Validation.byDefaultProvider()
    .buildValidatorFactory()
    .getValidator();
 ```
-<li>Replace Hibernate-Validator with Apache BVal which in its latest version does not interpolate EL expressions by default. Note that this replacement may not be a simple drop-in replacement.</li>
+<li>Replace Hibernate-Validator with Apache BVal which in its latest version does not interpolate EL expressions by default.
+Note that this replacement may not be a simple drop-in replacement.</li>
 </recommendation>
 
 <example>
