github
diff --git a/‎javascript/ql/lib/semmle/javascript/JSX.qll‎
Lines changed: 1 addition & 1 deletion b/‎javascript/ql/lib/semmle/javascript/JSX.qll‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎javascript/ql/lib/semmle/javascript/security/BadTagFilterQuery.qll‎
Lines changed: 1 addition & 1 deletion b/‎javascript/ql/lib/semmle/javascript/security/BadTagFilterQuery.qll‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎javascript/ql/lib/semmle/javascript/security/IncompleteBlacklistSanitizer.qll‎
Lines changed: 1 addition & 1 deletion b/‎javascript/ql/lib/semmle/javascript/security/IncompleteBlacklistSanitizer.qll‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎javascript/ql/lib/semmle/javascript/security/IncompleteMultiCharacterSanitizationQuery.qll‎
Lines changed: 5 additions & 5 deletions b/‎javascript/ql/lib/semmle/javascript/security/IncompleteMultiCharacterSanitizationQuery.qll‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationCustomizations.qll‎
Lines changed: 1 addition & 1 deletion b/‎javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationCustomizations.qll‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginCustomizations.qll‎
Lines changed: 5 additions & 5 deletions b/‎javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginCustomizations.qll‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎javascript/ql/lib/semmle/javascript/security/dataflow/Xss.qll‎
Lines changed: 1 addition & 1 deletion b/‎javascript/ql/lib/semmle/javascript/security/dataflow/Xss.qll‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp‎
Lines changed: 1 addition & 1 deletion b/‎javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.qhelp‎
Lines changed: 1 addition & 1 deletion b/‎javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.qhelp‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎javascript/ql/test/query-tests/Security/CWE-116/BadTagFilter/BadTagFilter.expected‎
Lines changed: 1 addition & 1 deletion b/‎javascript/ql/test/query-tests/Security/CWE-116/BadTagFilter/BadTagFilter.expected‎
Lines changed: 1 addition & 1 deletion
@@ -70,7 +70,7 @@ class JsxElement extends JsxNode {
   override string getAPrimaryQlClass() { result = "JsxElement" }
 
   /**
-   * Holds if this JSX element is a HTML element.
+   * Holds if this JSX element is an HTML element.
    * That is, the name starts with a lowercase letter.
    */
   predicate isHtmlElement() { getName().regexpMatch("[a-z].*") }
 
@@ -87,7 +87,7 @@ predicate isBadRegexpFilter(HtmlMatchingRegExp regexp, string msg) {
     not regexp.fillsCaptureGroup("<script>", group) and
     msg =
       "This regular expression only parses --> (capture group " + group +
-        ") and not --!> as a HTML comment end tag."
+        ") and not --!> as an HTML comment end tag."
   )
   or
   regexp.matches("<!-- foo -->") and
 
@@ -80,7 +80,7 @@ module HtmlSanitization {
   }
 
   /**
-   * Gets a HTML-relevant character that is replaced by `chain`.
+   * Gets an HTML-relevant character that is replaced by `chain`.
    */
   private string getALikelyReplacedCharacter(StringReplaceCallSequence chain) {
     result = "\"" and
 
@@ -35,7 +35,7 @@ private DangerousPrefixSubstring getADangerousMatchedChar(EmptyReplaceRegExpTerm
   or
   result = t.getAMatchedString()
   or
-  // A substring matched by some character class. This is only used to match the "word" part of a HTML tag (e.g. "iframe" in "<iframe").
+  // A substring matched by some character class. This is only used to match the "word" part of an HTML tag (e.g. "iframe" in "<iframe").
   exists(NfaUtils::CharacterClass cc |
     cc = NfaUtils::getCanonicalCharClass(t) and
     cc.matches(result) and
@@ -101,12 +101,12 @@ private class RepetitionMatcher extends EmptyReplaceRegExpTerm {
 predicate matchesDangerousPrefix(EmptyReplaceRegExpTerm t, string prefix, string kind) {
   prefix = getADangerousMatchedPrefix(t) and
   (
-    kind = "path injection" and
+    kind = "a path injection vulnerability" and
     prefix = ["/..", "../"] and
     // If the regex is matching explicit path components, it is unlikely that it's being used as a sanitizer.
     not t.getSuccessor*().getAMatchedString().regexpMatch("(?is).*[a-z0-9_-].*")
     or
-    kind = "HTML element injection" and
+    kind = "an HTML element injection vulnerability" and
     (
       // comments
       prefix = "<!--" and
@@ -119,7 +119,7 @@ predicate matchesDangerousPrefix(EmptyReplaceRegExpTerm t, string prefix, string
     )
   )
   or
-  kind = "HTML attribute injection" and
+  kind = "an HTML attribute injection vulnerability" and
   prefix =
     [
       // ordinary event handler prefix
@@ -197,6 +197,6 @@ query predicate problems(
 ) {
   exists(string kind |
     isResult(replace, dangerous, prefix, kind) and
-    msg = "This string may still contain $@, which may cause a " + kind + " vulnerability."
+    msg = "This string may still contain $@, which may cause " + kind + "."
   )
 }
@@ -26,7 +26,7 @@ module ImproperCodeSanitization {
   abstract class Sanitizer extends DataFlow::Node { }
 
   /**
-   * A call to a HTML sanitizer seen as a source for improper code sanitization
+   * A call to an HTML sanitizer seen as a source for improper code sanitization
    */
   class HtmlSanitizerCallAsSource extends Source {
     HtmlSanitizerCallAsSource() { this instanceof HtmlSanitizerCall }
 
@@ -32,7 +32,7 @@ module UnsafeJQueryPlugin {
   abstract class Sanitizer extends DataFlow::Node { }
 
   /**
-   * An argument that may act as a HTML fragment rather than a CSS selector, as a sink for remote unsafe jQuery plugins.
+   * An argument that may act as an HTML fragment rather than a CSS selector, as a sink for remote unsafe jQuery plugins.
    */
   class AmbiguousHtmlOrSelectorArgument extends DataFlow::Node,
     DomBasedXss::JQueryHtmlOrSelectorArgument {
@@ -173,7 +173,7 @@ module UnsafeJQueryPlugin {
   }
 
   /**
-   * An argument that may act as a HTML fragment rather than a CSS selector, as a sink for remote unsafe jQuery plugins.
+   * An argument that may act as an HTML fragment rather than a CSS selector, as a sink for remote unsafe jQuery plugins.
    */
   class AmbiguousHtmlOrSelectorArgumentAsSink extends Sink {
     AmbiguousHtmlOrSelectorArgumentAsSink() {
@@ -182,7 +182,7 @@ module UnsafeJQueryPlugin {
   }
 
   /**
-   * A hint that a value is expected to be treated as a HTML fragment later.
+   * A hint that a value is expected to be treated as an HTML fragment later.
    */
   class IntentionalHtmlFragmentHint extends Sanitizer {
     IntentionalHtmlFragmentHint() {
@@ -191,7 +191,7 @@ module UnsafeJQueryPlugin {
   }
 
   /**
-   * Holds if there exists a jQuery plugin that likely expects `sink` to be treated as a HTML fragment.
+   * Holds if there exists a jQuery plugin that likely expects `sink` to be treated as an HTML fragment.
    */
   predicate isLikelyIntentionalHtmlSink(DataFlow::Node sink) {
     exists(
@@ -206,7 +206,7 @@ module UnsafeJQueryPlugin {
   }
 
   /**
-   * Gets a property-write that writes a HTML-like constant string to `prop`.
+   * Gets a property-write that writes an HTML-like constant string to `prop`.
    */
   pragma[noinline]
   private DataFlow::PropWrite getALikelyHtmlWrite(string prop) {
 
@@ -65,7 +65,7 @@ module Shared {
   private import semmle.javascript.security.dataflow.IncompleteHtmlAttributeSanitizationCustomizations::IncompleteHtmlAttributeSanitization as IncompleteHtml
 
   /**
-   * A guard that checks if a string can contain quotes, which is a guard for strings that are inside a HTML attribute.
+   * A guard that checks if a string can contain quotes, which is a guard for strings that are inside an HTML attribute.
    */
   abstract class QuoteGuard extends TaintTracking::SanitizerGuardNode, StringOps::Includes {
     QuoteGuard() {
 
@@ -44,7 +44,7 @@
 	<sample src="examples/unsafe-html-construction_safe.js" />
 
 	<p>
-		Alternatively, a HTML sanitizer can be used to remove unsafe content.
+		Alternatively, an HTML sanitizer can be used to remove unsafe content.
 	</p>
 
 	<sample src="examples/unsafe-html-construction_sanitizer.js" />
 
@@ -12,7 +12,7 @@
 
   <recommendation>
     <p>
-      If using <code>JSON.stringify</code> or a HTML sanitizer to sanitize a string inserted into 
+      If using <code>JSON.stringify</code> or an HTML sanitizer to sanitize a string inserted into 
       JavaScript code, then make sure to perform additional sanitization or remove potentially
       dangerous characters. 
     </p>
 
@@ -13,5 +13,5 @@
 | tst.js:18:6:18:48 | <(?:!--([\\S\|\\s]*?)-->)\|([^\\/\\s>]+)[\\S\\s]*?> | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 1 and comments ending with --!> are matched with capture group 2. |
 | tst.js:19:6:19:147 | <(?:(?:\\/([^>]+)>)\|(?:!--([\\S\|\\s]*?)-->)\|(?:([^\\/\\s>]+)((?:\\s+[\\w\\-:.]+(?:\\s*=\\s*?(?:(?:"[^"]*")\|(?:'[^']*')\|[^\\s"'\\/>]+))?)*)[\\S\\s]*?(\\/?)>)) | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 2 and comments ending with --!> are matched with capture group 3, 4. |
 | tst.js:20:3:20:57 | (<[a-z\\/!$]("[^"]*"\|'[^']*'\|[^'">])*>\|<!(--.*?--\\s*)+>) | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 3 and comments ending with --!> are matched with capture group 1. |
-| tst.js:21:6:21:249 | <(?:(?:!--([\\w\\W]*?)-->)\|(?:!\\[CDATA\\[([\\w\\W]*?)\\]\\]>)\|(?:!DOCTYPE([\\w\\W]*?)>)\|(?:\\?([^\\s\\/<>]+) ?([\\w\\W]*?)[?/]>)\|(?:\\/([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)>)\|(?:([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)((?:\\s+[^"'>]+(?:(?:"[^"]*")\|(?:'[^']*')\|[^>]*))*\|\\/\|\\s+)>)) | This regular expression only parses --> (capture group 1) and not --!> as a HTML comment end tag. |
+| tst.js:21:6:21:249 | <(?:(?:!--([\\w\\W]*?)-->)\|(?:!\\[CDATA\\[([\\w\\W]*?)\\]\\]>)\|(?:!DOCTYPE([\\w\\W]*?)>)\|(?:\\?([^\\s\\/<>]+) ?([\\w\\W]*?)[?/]>)\|(?:\\/([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)>)\|(?:([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)((?:\\s+[^"'>]+(?:(?:"[^"]*")\|(?:'[^']*')\|[^>]*))*\|\\/\|\\s+)>)) | This regular expression only parses --> (capture group 1) and not --!> as an HTML comment end tag. |
 | tst.js:22:6:22:33 | <!--([\\w\\W]*?)-->\|<([^>]*?)> | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 1 and comments ending with --!> are matched with capture group 2. |
Original file line number	Diff line number	Diff line change
`@@ -87,7 +87,7 @@ predicate isBadRegexpFilter(HtmlMatchingRegExp regexp, string msg) {`
`87`	`87`	`not regexp.fillsCaptureGroup("<script>", group) and`
`88`	`88`	`msg =`
`89`	`89`	`"This regular expression only parses --> (capture group " + group +`
`90`		`- ") and not --!> as a HTML comment end tag."`
	`90`	`+ ") and not --!> as an HTML comment end tag."`
`91`	`91`	`)`
`92`	`92`	`or`
`93`	`93`	`regexp.matches("<!-- foo -->") and`
Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,7 @@ module HtmlSanitization {`
`80`	`80`	`}`
`81`	`81`
`82`	`82`	`/**`
`83`		- * Gets a HTML-relevant character that is replaced by `chain`.
	`83`	+ * Gets an HTML-relevant character that is replaced by `chain`.
`84`	`84`	`*/`
`85`	`85`	`private string getALikelyReplacedCharacter(StringReplaceCallSequence chain) {`
`86`	`86`	`result = "\"" and`
Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ private DangerousPrefixSubstring getADangerousMatchedChar(EmptyReplaceRegExpTerm`
`35`	`35`	`or`
`36`	`36`	`result = t.getAMatchedString()`
`37`	`37`	`or`
`38`		`- // A substring matched by some character class. This is only used to match the "word" part of a HTML tag (e.g. "iframe" in "<iframe").`
	`38`	`+ // A substring matched by some character class. This is only used to match the "word" part of an HTML tag (e.g. "iframe" in "<iframe").`
`39`	`39`	`exists(NfaUtils::CharacterClass cc \|`
`40`	`40`	`cc = NfaUtils::getCanonicalCharClass(t) and`
`41`	`41`	`cc.matches(result) and`
`@@ -101,12 +101,12 @@ private class RepetitionMatcher extends EmptyReplaceRegExpTerm {`
`101`	`101`	`predicate matchesDangerousPrefix(EmptyReplaceRegExpTerm t, string prefix, string kind) {`
`102`	`102`	`prefix = getADangerousMatchedPrefix(t) and`
`103`	`103`	`(`
`104`		`- kind = "path injection" and`
	`104`	`+ kind = "a path injection vulnerability" and`
`105`	`105`	`prefix = ["/..", "../"] and`
`106`	`106`	`// If the regex is matching explicit path components, it is unlikely that it's being used as a sanitizer.`
`107`	`107`	`not t.getSuccessor().getAMatchedString().regexpMatch("(?is).[a-z0-9_-].*")`
`108`	`108`	`or`
`109`		`- kind = "HTML element injection" and`
	`109`	`+ kind = "an HTML element injection vulnerability" and`
`110`	`110`	`(`
`111`	`111`	`// comments`
`112`	`112`	`prefix = "<!--" and`
`@@ -119,7 +119,7 @@ predicate matchesDangerousPrefix(EmptyReplaceRegExpTerm t, string prefix, string`
`119`	`119`	`)`
`120`	`120`	`)`
`121`	`121`	`or`
`122`		`- kind = "HTML attribute injection" and`
	`122`	`+ kind = "an HTML attribute injection vulnerability" and`
`123`	`123`	`prefix =`
`124`	`124`	`[`
`125`	`125`	`// ordinary event handler prefix`
`@@ -197,6 +197,6 @@ query predicate problems(`
`197`	`197`	`) {`
`198`	`198`	`exists(string kind \|`
`199`	`199`	`isResult(replace, dangerous, prefix, kind) and`
`200`		`- msg = "This string may still contain $@, which may cause a " + kind + " vulnerability."`
	`200`	`+ msg = "This string may still contain $@, which may cause " + kind + "."`
`201`	`201`	`)`
`202`	`202`	`}`