apply docreview feedback

Author: Stephan Brandauer

javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.qhelp

@@ -6,43 +6,43 @@
 		<p>
 			Including a resource from an untrusted source or using an untrusted channel may
 			allow an attacker to include arbitrary code in the response.
-			When including an external resource (eg., a <code>script</code> element or an
+			When including an external resource (for example, a <code>script</code> element or an
 			<code>iframe</code> element) on a page, it is important to ensure that the received
 			data is not malicious.
 		</p>
 
 		<p>
-			When including external resources, it is possible to verify that the origin (the server
-			that responds to the request) is the intended one by using an <code>https</code> URL.
+			When including external resources, it is possible to verify that the responding server
+			is the intended one by using an <code>https</code> URL.
 			This prevents a MITM (man-in-the-middle) attack where an attacker might have been able
 			to spoof a server response.
 		</p>
 
 		<p>
-			Even when <code>https</code> is used, an attacker might still compromise the origin server.
-			When using a <code>script</code> element, checking for <em>subresource integrity</em>
-			(checking the contents of the data received by supplying a cryptographic digest of the
-			expected sources to the script element) is possible. The script will only load sources
-			that match the digest and an attacker will be unable to modify the script even when the
-			server is compromised.
+			Even when <code>https</code> is used, an attacker might still compromise the server.
+			When you use a <code>script</code> element, you can check for subresource integrity -
+			that is, you can check the contents of the data received by supplying a cryptographic
+			digest of the expected sources to the <code>script</code> element. The script will only
+			load sources that match the digest and an attacker will be unable to modify the script
+			even when the server is compromised.
 		</p>
 
 		<p>
 			Subresource integrity checking is commonly recommended when importing a fixed version of
-			a library, eg., from a CDN (content-delivery network). Then, the fixed digest of that
-			version of the library can easily be added to the <code>script</code> element's
+			a library - for example, from a CDN (content-delivery network). Then, the fixed digest
+			of that version of the library can easily be added to the <code>script</code> element's
 			<code>integrity</code> attribute.
 		</p>
 	</overview>
 
 	<recommendation>
 		<p>
-			When an <code>iframe</code> element is used to embed a page, it is important to use a
+			When an <code>iframe</code> element is used to embed a page, it is important to use an
 			<code>https</code> URL.
 		</p>
 
 		<p>
-			When using a <code>script</code> element to load a script, it is important to use a
+			When using a <code>script</code> element to load a script, it is important to use an
 			<code>https</code> URL and to consider checking subresource integrity.
 		</p>
 	</recommendation>

javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.ql

@@ -1,5 +1,5 @@
 /**
- * @name Inclusion of functionality from untrusted source.
+ * @name Inclusion of functionality from an untrusted source
  * @description Including functionality from an untrusted source may allow
  *              an attacker to control the functionality and execute arbitrary code.
  * @kind problem

javascript/ql/src/change-notes/2022-02-14-functionality-from-untrusted-source.md

@@ -2,5 +2,5 @@
 category: newQuery
 ---
 * A new query, `js/functionality-from-untrusted-source`, has been added to the query suite. It finds DOM elements
-  that load functionality from untrusted sources, like a `script`- or `iframe`-element using http-links.
+  that load functionality from untrusted sources, like `script` or `iframe` elements using `http` links.
   The query is run by default.