Python: clean up change notes and query help.

markshannon · markshannon · commit 21246dcbf2d7 · 2018-11-28T15:02:47.000Z
diff --git a/change-notes/1.19/analysis-python.md b/change-notes/1.19/analysis-python.md
@@ -56,10 +56,10 @@ A new predicate `Stmt.getAnEntryNode()` has been added to make it easier to writ
 
 | **Query**                   | **Tags**  | **Purpose**                                                        |
 |-----------------------------|-----------|--------------------------------------------------------------------|
-| Flask app is run in debug mode (`py/flask-debug`) | security, external/cwe/cwe-215, external/cwe/cwe-489 | Finds instances where a Flask application is run in debug mode. Enabled on LGTM by default. |
-| Information exposure through an exception (`py/stack-trace-exposure`) | security, external/cwe/cwe-209, external/cwe/cwe-497 | Finds instances where information about an exception may be leaked to an external user. Enabled on LGTM by default. |
-| Jinja2 templating with autoescape=False (`py/jinja2/autoescape-false`) | security, external/cwe/cwe-079 | Finds instantiations of jinja2.Environment with `autoescape=False` which may allow XSS attacks. Not enabled on LGTM by default. |
-| Request without certificate validation (`py/request-without-cert-validation`) | security, external/cwe/cwe-295 | Finds requests where certificate verification has been explicitly turned off, possibly allowing man-in-the-middle attacks. Not enabled on LGTM by default. |
+| Flask app is run in debug mode (`py/flask-debug`) | security, external/cwe/cwe-215, external/cwe/cwe-489 | Finds instances where a Flask application is run in debug mode. Results are shown on LGTM by default. |
+| Information exposure through an exception (`py/stack-trace-exposure`) | security, external/cwe/cwe-209, external/cwe/cwe-497 | Finds instances where information about an exception may be leaked to an external user. Results are shown on LGTM by default. |
+| Jinja2 templating with autoescape=False (`py/jinja2/autoescape-false`) | security, external/cwe/cwe-079 | Finds instantiations of `jinja2.Environment` with `autoescape=False` which may allow XSS attacks. Results are hidden on LGTM by default. |
+| Request without certificate validation (`py/request-without-cert-validation`) | security, external/cwe/cwe-295 | Finds requests where certificate verification has been explicitly turned off, possibly allowing man-in-the-middle attacks. Results are hidden on LGTM by default. |
 
 ## Changes to existing queries
 
diff --git a/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.qhelp b/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.qhelp
@@ -6,7 +6,7 @@
 <overview>
 <p>
 
-Cross-site scripting attacks can occur if untrusted input is not escaped. This applies to templates as well as code.
+Cross-site scripting (XSS) attacks can occur if untrusted input is not escaped. This applies to templates as well as code.
 The <code>jinja2</code> templates may be vulnerable to XSS if the environment has <code>autoescape</code> set to <code>False</code>.
 Unfortunately, <code>jinja2</code> sets <code>autoescape</code> to <code>False</code> by default.
 Explicitly setting <code>autoescape</code> to <code>True</code> when creating an <code>Environment</code> object will prevent this.
@@ -23,7 +23,7 @@ For example, it can be used when creating an environment <code>Environment(autoe
 
 <example>
 <p>
-The following example is a minimal flask app which shows a safe and unsafe way to render the given name back to the page.
+The following example is a minimal Flask app which shows a safe and an unsafe way to render the given name back to the page.
 The first view is unsafe as <code>first_name</code> is not escaped, leaving the page vulnerable to cross-site scripting attacks.
 The second view is safe as <code>first_name</code> is escaped, so it is not vulnerable to cross-site scripting attacks.
 </p>
@@ -32,11 +32,13 @@ The second view is safe as <code>first_name</code> is escaped, so it is not vuln
 
 <references>
 <li>
-http://jinja.pocoo.org/docs/2.10/api/
 Jinja2: <a href="http://jinja.pocoo.org/docs/2.10/api/">API</a>.
 </li>
 <li>
 Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
 </li>
+<li>
+OWASP: <a href="https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet">XSS (Cross Site Scripting) Prevention Cheat Sheet</a>.
+</li>
 </references>
 </qhelp>
diff --git a/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql b/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
@@ -1,6 +1,6 @@
 /**
  * @name Jinja2 templating with autoescape=False
- * @description Using jinja2 templates with autoescape=False can
+ * @description Using jinja2 templates with 'autoescape=False' can
  *              cause a cross-site scripting vulnerability.
  * @kind problem
  * @problem.severity error
