RB: make the alert messages of taint-tracking queries more consistent #10304
Conversation
erik-krogh
force-pushed
the
rb-followMsg
branch
from
9b93f5e to
79a0489
Compare
erik-krogh
added
the
ready-for-doc-review
| select sink.getNode(), source, sink, "This path depends on $@.", source.getNode(), | ||
| "a user-provided value" |
There was a problem hiding this comment.
Minor nit: do we want the have the a as part of the link text or not?
| select sink.getNode(), source, sink, "This path depends on $@.", source.getNode(), | |
| "a user-provided value" | |
| select sink.getNode(), source, sink, "This path depends on a $@.", source.getNode(), | |
| "user-provided value" |
I don't think it matters too much, but there might be some W3C recommendation about link texts. In the past I've read guidelines like, link text should be concise, descriptive, and ideally start with important words first (to accommodate screen readers that present lists of links on a page in alphabetical order). Arguably user provided value isn't much more descriptive than a user provided value , and only marginally shorter.
The same phrase is used in many places.
There was a problem hiding this comment.
We don't want the article in the link text, you're right about the W3C recommendation 👍
The W3C guidance on link texts even have an example where the article is left out of the link text.
I've included the article in basically every link-text I've rewritten as part of these PRs, I should fix that.
I'll update this PR for now, but I'll wait with updating the other languages.
(And maybe write a QL-for-QL query for it).
| select sink.getNode(), source, sink, "$@ is logged here.", source.getNode(), | ||
| "Sensitive data returned by " + source.getNode().(Source).describe() |
There was a problem hiding this comment.
I think we should keep the link text concise.
| select sink.getNode(), source, sink, "$@ is logged here.", source.getNode(), | |
| "Sensitive data returned by " + source.getNode().(Source).describe() | |
| select sink.getNode(), source, sink, "Sensitive data returned by $@ is logged here.", source.getNode(), | |
| source.getNode().(Source).describe() |
| select sink.getNode(), source, sink, "$@ is stored here.", source.getNode(), | ||
| "Sensitive data returned by " + source.getNode().(Source).describe() |
There was a problem hiding this comment.
| select sink.getNode(), source, sink, "$@ is stored here.", source.getNode(), | |
| "Sensitive data returned by " + source.getNode().(Source).describe() | |
| select sink.getNode(), source, sink, "Sensitive data returned by $@ is stored here.", source.getNode(), | |
| source.getNode().(Source).describe() |
erik-krogh
removed
the
ready-for-doc-review
I just did this for Python and JavaScript.
I'm rewriting alert messages for the taint tracking queries:
This path depends on a user-provided value.User-provided value flows to this location and is used in a path.I also generally tried to use "this location" instead of "here".
I tried to formulate messages to use "depends on" and use the term "a user-provided value".
The previous change-note for changing the alert messages still cover this PR.