Fix enumerations, related with Join multiline strings with '' , ' ' o…

…r '\n'? #16

db/15-directory-listing.json

@@ -22,12 +22,14 @@
       "listing will differ depending on the type of server being used (IIS,", 
       "Apache, etc.). If directory listing is required, and permitted, then", 
       "steps should be taken to ensure that the risk of such a configuration", 
-      "is reduced.\n\nThese can include:\n\n1. Requiring authentication to access", 
-      "affected pages. 2. Adding the affected path to the `robots.txt` file", 
-      "to prevent the directory    contents being searchable via search", 
-      "engines. 3. Ensuring that sensitive files are not stored within the", 
-      "web or document root. 4. Removing any files that are not required for", 
-      "the application to function."
+      "is reduced.\n\nThese can include:\n",
+      " 1. Requiring authentication to access affected pages.\n",
+      " 2. Adding the affected path to the `robots.txt` file to prevent the",
+      "directory contents being searchable via search engines.\n",
+      " 3. Ensuring that sensitive files are not stored within the", 
+      "web or document root.\n",
+      " 4. Removing any files that are not required for the application to",
+      "function.\n"
     ]
   }, 
   "tags": [

db/5-captcha-protected-form.json

@@ -19,12 +19,13 @@
     "effort": 50, 
     "guidance": [
       "Although no remediation may be required based on this finding alone,", 
-      "manual testing should ensure that:\n\n1. The server keeps track of", 
-      "CAPTCHA tokens in use and has the token terminated     after its first", 
-      "use or after a period of time. Therefore preventing replay attacks. 2.", 
-      "The CAPTCHA answer is not hidden in plain text within the response", 
-      "that is     sent to the client. 3. The CAPTCHA image should not be", 
-      "weak and easily solved."
+      "manual testing should ensure that:\n",
+      " 1. The server keeps track of CAPTCHA tokens in use and has the token",
+      "terminated after its first use or after a period of time. Therefore",
+      "preventing replay attacks.\n",
+      " 2. The CAPTCHA answer is not hidden in plain text within the response", 
+      "that is sent to the client.\n",
+      " 3. The CAPTCHA image should not be weak and easily solved.\n"
     ]
   }
 }

db/56-dom-based-cross-site-scripting-xss.json

@@ -24,14 +24,15 @@
       "action, using untrusted data, should be avoided wherever possible, as", 
       "these may not be inspected by server side filtering.\n\nTo remedy DOM", 
       "XSS vulnerabilities where these sensitive document actions must be", 
-      "used, it is essential to:\n\n1. Ensure any untrusted data is treated as", 
-      "text, as opposed to being interpreted     as code or mark-up within", 
-      "the page. 2. Escape untrusted data prior to being used within the", 
-      "page. Escaping methods     will vary depending on where the untrusted", 
-      "data is being used.     (See references for details.) 3. Use", 
-      "`document.createElement`, `element.setAttribute`,", 
-      "`element.appendChild`,     etc. to build dynamic interfaces as opposed", 
-      "to HTML rendering methods such as     `document.write`,", 
+      "used, it is essential to:\n",
+      " 1. Ensure any untrusted data is treated as text, as opposed to being",
+      "interpreted as code or mark-up within the page.\n",
+      " 2. Escape untrusted data prior to being used within the page. Escaping",
+      "methods will vary depending on where the untrusted data is being used.",
+      "(See references for details.)\n",
+      " 3. Use `document.createElement`, `element.setAttribute`,", 
+      "`element.appendChild`, etc. to build dynamic interfaces as opposed", 
+      "to HTML rendering methods such as `document.write`,", 
       "`document.writeIn`, `element.innerHTML`, or `element.outerHTML `etc."
     ]
   }, 

db/57-dom-based-cross-site-scripting-xss-via-input-fields.json

@@ -24,14 +24,15 @@
       "action, using untrusted data, should be avoided wherever possible, as", 
       "these may not be inspected by server side filtering.\n\nTo remedy DOM", 
       "XSS vulnerabilities where these sensitive document actions must be", 
-      "used, it is essential to:\n\n1. Ensure any untrusted data is treated as", 
-      "text, as opposed to being interpreted     as code or mark-up within", 
-      "the page. 2. Escape untrusted data prior to being used within the", 
-      "page. Escaping methods     will vary depending on where the untrusted", 
-      "data is being used.     (See references for details.) 3. Use", 
-      "`document.createElement`, `element.setAttribute`,", 
-      "`element.appendChild`,     etc. to build dynamic interfaces as opposed", 
-      "to HTML rendering methods such as     `document.write`,", 
+      "used, it is essential to:\n",
+      " 1. Ensure any untrusted data is treated as text, as opposed to being",
+      "interpreted as code or mark-up within the page.\n",
+      " 2. Escape untrusted data prior to being used within the page. Escaping",
+      "methods will vary depending on where the untrusted data is being used.",
+      "(See references for details.)\n",
+      " 3. Use `document.createElement`, `element.setAttribute`,", 
+      "`element.appendChild`, etc. to build dynamic interfaces as opposed", 
+      "to HTML rendering methods such as `document.write`,", 
       "`document.writeIn`, `element.innerHTML`, or `element.outerHTML `etc."
     ]
   }, 

db/58-dom-based-cross-site-scripting-xss-in-script-context.json

@@ -23,14 +23,15 @@
       "action, using untrusted data, should be avoided wherever possible, as", 
       "these may not be inspected by server side filtering.\n\nTo remedy DOM", 
       "XSS vulnerabilities where these sensitive document actions must be", 
-      "used, it is essential to:\n\n1. Ensure any untrusted data is treated as", 
-      "text, as opposed to being interpreted     as code or mark-up within", 
-      "the page. 2. Escape untrusted data prior to being used within the", 
-      "page. Escaping methods     will vary depending on where the untrusted", 
-      "data is being used.     (See references for details.) 3. Use", 
-      "`document.createElement`, `element.setAttribute`,", 
-      "`element.appendChild`,     etc. to build dynamic interfaces as opposed", 
-      "to HTML rendering methods such as     `document.write`,", 
+      "used, it is essential to:\n",
+      " 1. Ensure any untrusted data is treated as text, as opposed to being",
+      "interpreted as code or mark-up within the page.\n",
+      " 2. Escape untrusted data prior to being used within the page. Escaping",
+      "methods will vary depending on where the untrusted data is being used.",
+      "(See references for details.)\n",
+      " 3. Use `document.createElement`, `element.setAttribute`,", 
+      "`element.appendChild`, etc. to build dynamic interfaces as opposed", 
+      "to HTML rendering methods such as `document.write`,", 
       "`document.writeIn`, `element.innerHTML`, or `element.outerHTML `etc."
     ]
   }, 

tests/test_json_spec.py

@@ -99,3 +99,17 @@ def test_id_match(self):
                 invalid.append(db_file)
 
         self.assertEqual(invalid, [])
+
+    def test_no_multiple_spaces(self):
+        invalid = []
+
+        for vuln_id in DBVuln.get_all_db_ids():
+            db_vuln = DBVuln.from_id(vuln_id)
+
+            if '  ' in db_vuln.fix_guidance:
+                invalid.append((db_vuln.db_file, 'fix_guidance'))
+
+            if '  ' in db_vuln.description:
+                invalid.append((db_vuln.db_file, 'description'))
+
+        self.assertEqual(invalid, [])