JavaScript: Address review comments.

Max Schaefer · Max Schaefer · commit 3b1e6c362c12 · 2019-11-14T17:11:59.000Z
diff --git a/change-notes/1.23/analysis-javascript.md b/change-notes/1.23/analysis-javascript.md
@@ -21,7 +21,7 @@
 | **Query**                                                                 | **Tags**                                                          | **Purpose**                                                                                                                                                                            |
 |---------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Ignoring result from pure array method (`js/ignore-array-result`)         | maintainability, correctness                                      | Highlights calls to array methods without side effects where the return value is ignored. Results are shown on LGTM by default. |
-| Incomplete URL scheme check (`js/incomplete-url-scheme-check`)            | security, correctness, external/cwe/cwe-020                       | Highlights checks for `javascript:` URLs that do not take `data:` or `vbscript:` URLs into account. |
+| Incomplete URL scheme check (`js/incomplete-url-scheme-check`)            | security, correctness, external/cwe/cwe-020                       | Highlights checks for `javascript:` URLs that do not take `data:` or `vbscript:` URLs into account. Results are shown on LGTM by default. |
 | Loop bound injection (`js/loop-bound-injection`)                          | security, external/cwe/cwe-834                                      | Highlights loops where a user-controlled object with an arbitrary .length value can trick the server to loop indefinitely. Results are shown on LGTM by default. |
 | Shell command built from environment values (`js/shell-command-injection-from-environment`) | correctness, security, external/cwe/cwe-078, external/cwe/cwe-088 | Highlights shell commands that may change behavior inadvertently depending on the execution environment, indicating a possible violation of [CWE-78](https://cwe.mitre.org/data/definitions/78.html). Results are shown on LGTM by default.|
 | Suspicious method name (`js/suspicious-method-name-declaration`)          | correctness, typescript, methods                                  | Highlights suspiciously named methods where the developer likely meant to write a constructor or function. Results are shown on LGTM by default. |
diff --git a/javascript/ql/src/Security/CWE-020/IncompleteUrlSchemeCheck.qhelp b/javascript/ql/src/Security/CWE-020/IncompleteUrlSchemeCheck.qhelp
@@ -13,7 +13,7 @@ the URL scheme of any untrusted URL, and reject URLs with the <code>javascript:<
 <p>
 However, the <code>data:</code> and <code>vbscript:</code> schemes can be used to represent
 executable code in a very similar way, so any validation logic that checks against
-<code>javascript:</code> but not against <code>data:</code> and <code>vbscript:</code> is likely to
+<code>javascript:</code>, but not against <code>data:</code> and <code>vbscript:</code>, is likely to
 be insufficient.
 </p>
 </overview>
