Merge pull request #559 from xiemaisi/js/invalid-dynamic-method-call

JavaScript: Documentation review for new query `UnvalidatedDynamicMethodCall`.

Author: mchammer01

javascript/ql/src/Security/CWE-754/UnvalidatedDynamicMethodCall.qhelp

@@ -6,13 +6,13 @@
 <overview>
 <p>
 JavaScript makes it easy to look up object properties dynamically at runtime. In particular, methods
-can be looked up by name and then called. However, if he method name is user controlled, an attacker
+can be looked up by name and then called. However, if the method name is user-controlled, an attacker
 could choose a name that makes the application invoke an unexpected method, which may cause a runtime
 exception. If this exception is not handled, it could be used to mount a denial-of-service attack.
 </p>
 <p>
-For example, there might not be a method of the given name or the result of the lookup might not be
-a function, which would cause the method call to throw a <code>TypeError</code> at runtime.
+For example, there might not be a method of the given name, or the result of the lookup might not be
+a function. In either case the method call will throw a <code>TypeError</code> at runtime.
 </p>
 <p>
 Another, more subtle example is where the result of the lookup is a standard library method from
@@ -33,7 +33,7 @@ If the dynamic method lookup cannot be avoided, consider whitelisting permitted
 the very least, check that the method is an own property and not inherited from the prototype object.
 If the object on which the method is looked up contains properties that are not methods, you
 should additionally check that the result of the lookup is a function. Even if the object only
-contains methods it is still a good idea to perform this check in case other properties are
+contains methods, it is still a good idea to perform this check in case other properties are
 added to the object later on.
 </p>
 </recommendation>