Improve documentation

javascript/ql/src/Security/CWE-094/ExpressionInjection.qhelp

@@ -21,7 +21,7 @@
 			The best practice to avoid code injection vulnerabilities
 			in GitHub workflows is to set the untrusted input value of the expression
 			to an intermediate environment variable and then use the environment variable
-			using the native syntax of the shell/script interpreter (i.e. <b>NOT</b> the ${{ env.VAR }}).
+			using the native syntax of the shell/script interpreter (i.e. <b>NOT</b> the <i>${{ env.VAR }}</i>).
 		</p>
         <p>
             It is also recommended to limit the permissions of any tokens used 
@@ -40,6 +40,18 @@
 			the environment variable and will prevent the attack:
 		</p>
 		<sample src="examples/comment_issue_good.yml" />
+
+		<p>
+			The following example uses an environment variable, but
+			still allows injection because of the use of expression syntax:
+		</p>
+		<sample src="examples/comment_issue_bad_env.yml" />
+
+		<p>
+			The following example uses shell syntax to read
+			the environment variable and will prevent the attack:
+		</p>
+		<sample src="examples/comment_issue_good.yml" />
 	</example>
 
 	<references>

javascript/ql/src/Security/CWE-094/examples/comment_issue_bad_env.yml

@@ -0,0 +1,10 @@
+on: issue_comment
+
+jobs:
+  echo-body:
+    runs-on: ubuntu-latest
+    steps:
+    -  env:
+        BODY: ${{ github.event.issue.body }}
+      run: |
+        echo '${{ env.BODY }}'