SONAR-16598 Update education principles

4 files changed, 19 insertions, 16 deletions

diff --git a/server/sonar-web/src/main/js/api/mocks/CodingRulesMock.ts b/server/sonar-web/src/main/js/api/mocks/CodingRulesMock.ts
index 0f6d6af4791..8756329b36d 100644
--- a/server/sonar-web/src/main/js/api/mocks/CodingRulesMock.ts
+++ b/server/sonar-web/src/main/js/api/mocks/CodingRulesMock.ts
@@ -171,7 +171,7 @@ export default class CodingRulesMock {
             content: resourceContent
           }
         ],
-        educationPrinciples: ['defense_in_depth', 'least_trust_principle']
+        educationPrinciples: ['defense_in_depth', 'never_trust_user_input']
       })
     ];
 
diff --git a/server/sonar-web/src/main/js/components/rules/MoreInfoRuleDescription.tsx b/server/sonar-web/src/main/js/components/rules/MoreInfoRuleDescription.tsx
index 306eb9f2dff..ef9cc3b4b3c 100644
--- a/server/sonar-web/src/main/js/components/rules/MoreInfoRuleDescription.tsx
+++ b/server/sonar-web/src/main/js/components/rules/MoreInfoRuleDescription.tsx
@@ -24,7 +24,7 @@ import { Dict } from '../../types/types';
 import { ButtonLink } from '../controls/buttons';
 import { Alert } from '../ui/Alert';
 import DefenseInDepth from './educationPrinciples/DefenseInDepth';
-import LeastTrustPrinciple from './educationPrinciples/LeastTrustPrinciple';
+import NeverTrustUserInput from './educationPrinciples/NeverTrustUserInput';
 import RuleDescription from './RuleDescription';
 import './style.css';
 
@@ -37,7 +37,7 @@ interface Props {
 
 const EDUCATION_PRINCIPLES_MAP: Dict<React.ComponentType> = {
   defense_in_depth: DefenseInDepth,
-  least_trust_principle: LeastTrustPrinciple
+  never_trust_user_input: NeverTrustUserInput
 };
 export default class MoreInfoRuleDescription extends React.PureComponent<Props, {}> {
   handleNotificationScroll = () => {
diff --git a/server/sonar-web/src/main/js/components/rules/educationPrinciples/DefenseInDepth.tsx b/server/sonar-web/src/main/js/components/rules/educationPrinciples/DefenseInDepth.tsx
index e338d15b045..2e228c57b5d 100644
--- a/server/sonar-web/src/main/js/components/rules/educationPrinciples/DefenseInDepth.tsx
+++ b/server/sonar-web/src/main/js/components/rules/educationPrinciples/DefenseInDepth.tsx
@@ -26,7 +26,7 @@ export default function DefenseInDepth() {
       <p>
         Applications and infrastructure benefit greatly from relying on multiple security mechanisms
         layered on top of each other. If one security mechanism fails, there is a high probability
-        that the subsequent layer of security will successfully defend against the attack.
+        that the subsequent layers of security will successfully defend against the attack.
       </p>
 
       <p>A non-exhaustive list of these code protection ramparts includes the following:</p>
@@ -40,8 +40,8 @@ export default function DefenseInDepth() {
       </ul>
 
       <p>
-        Note that these layers must be simple enough to use in an everyday workflow. Harsh security
-        measures can lead to users bypassing them.
+        Note that these layers must be simple enough to use in an everyday workflow. Security
+        measures should not break usability.
       </p>
     </>
   );
diff --git a/server/sonar-web/src/main/js/components/rules/educationPrinciples/LeastTrustPrinciple.tsx b/server/sonar-web/src/main/js/components/rules/educationPrinciples/NeverTrustUserInput.tsx
index eaa2882a12a..98c505fca41 100644
--- a/server/sonar-web/src/main/js/components/rules/educationPrinciples/LeastTrustPrinciple.tsx
+++ b/server/sonar-web/src/main/js/components/rules/educationPrinciples/NeverTrustUserInput.tsx
@@ -19,19 +19,22 @@
  */
 import * as React from 'react';
 
-export default function LeastTrustPrinciple() {
+export default function NeverTrustUserInput() {
   return (
     <>
-      <h3>Least Trust Principle</h3>
-      <p>Applications must treat all third-party data as attacker-controlled data. </p>
+      <h3>Never Trust User Input</h3>
       <p>
-        First, the application must determine where the third-party data originates and treat that
-        data source as an attack vector.
+        Applications must treat all user input and, more generally, all third-party data as
+        attacker-controlled data.
+      </p>
+      <p>
+        The application must determine where the third-party data comes from and treat that data
+        source as an attack vector. Two rules apply:
       </p>
 
       <p>
-        Then, the application must validate the attacker-controlled data against predefined formats,
-        such as:
+        First, before using it in the application&apos;s business logic, the application must
+        validate the attacker-controlled data against predefined formats, such as:
       </p>
       <ul>
         <li>Character sets</li>
@@ -41,9 +44,9 @@ export default function LeastTrustPrinciple() {
       </ul>
 
       <p>
-        Next, the code must sanitize the data before performing mission-critical operations on the
-        attacker-controlled data. The code must know in which contexts the intercepted data is used
-        and act accordingly.
+        Second, the application must sanitize string data before inserting it into interpreted
+        contexts (client-side code, file paths, SQL queries). Unsanitized code can corrupt the
+        application&apos;s logic.
       </p>
     </>
   );