From 7aa8ce4ebdcb42b95f59093772afce230f2a3ca0 Mon Sep 17 00:00:00 2001
From: Nate Fischer <ntfschr@google.com>
Date: Wed, 26 Jun 2019 09:39:24 -0700
Subject: [PATCH] docs(exec): minor wording changes on security doc (#951)

This is a follow-up to #950, to emphasize the message.
---
 README.md   | 8 ++++----
 src/exec.js | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index e0c31252..602d6042 100644
--- a/README.md
+++ b/README.md
@@ -340,10 +340,10 @@ Not seeing the behavior you want? `exec()` runs everything through `sh`
 by default (or `cmd.exe` on Windows), which differs from `bash`. If you
 need bash-specific behavior, try out the `{shell: 'path/to/bash'}` option.
 
-**Note:** as `shell.exec()` executes an arbitrary string in the system
-shell, it is **critical** to properly sanitize user input to avoid command
-execution. For more context, consult the [Security
-guidelines](https://github.com/shelljs/shelljs/wiki/Security-guidelines).
+**Security note:** as `shell.exec()` executes an arbitrary string in the
+system shell, it is **critical** to properly sanitize user input to avoid
+**command injection**. For more context, consult the [Security
+Guidelines](https://github.com/shelljs/shelljs/wiki/Security-guidelines).
 
 
 ### find(path [, path ...])
diff --git a/src/exec.js b/src/exec.js
index e6077a33..e765cb1a 100644
--- a/src/exec.js
+++ b/src/exec.js
@@ -178,10 +178,10 @@ function execAsync(cmd, opts, pipe, callback) {
 //@ by default (or `cmd.exe` on Windows), which differs from `bash`. If you
 //@ need bash-specific behavior, try out the `{shell: 'path/to/bash'}` option.
 //@
-//@ **Note:** as `shell.exec()` executes an arbitrary string in the system
-//@ shell, it is **critical** to properly sanitize user input to avoid command
-//@ execution. For more context, consult the [Security
-//@ guidelines](https://github.com/shelljs/shelljs/wiki/Security-guidelines).
+//@ **Security note:** as `shell.exec()` executes an arbitrary string in the
+//@ system shell, it is **critical** to properly sanitize user input to avoid
+//@ **command injection**. For more context, consult the [Security
+//@ Guidelines](https://github.com/shelljs/shelljs/wiki/Security-guidelines).
 function _exec(command, options, callback) {
   options = options || {};
   if (!command) common.error('must specify command');