JS: address doc review

Author: asger-semmle

javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.qhelp

@@ -5,7 +5,7 @@
 <p>
 Using the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens.
 A malicious user can send an HTTP request to the targeted web site, but with a Host header that refers to his own web site.
-This means the emails will be sent out to potential victims, originating from a server they trust but with
+This means the emails will be sent out to potential victims, originating from a server they trust, but with
 links leading to a malicious web site.
 </p>
 <p>

javascript/ql/src/Security/CWE-640/examples/HostHeaderPoisoningInEmailGeneration.js

@@ -14,6 +14,6 @@ app.post('/resetpass', (req, res) => {
     from: 'webmaster@example.com',
     to: email,
     subject: 'Forgot password',
-    text: `Forgot your password?. Click here to reset: https://${req.host}/resettoken/${token}`,
+    text: `Click to reset password: https://${req.host}/resettoken/${token}`,
   });
 });

javascript/ql/src/Security/CWE-640/examples/HostHeaderPoisoningInEmailGenerationGood.js

@@ -14,6 +14,6 @@ app.post('/resetpass', (req, res) => {
     from: 'webmaster@example.com',
     to: email,
     subject: 'Forgot password',
-    text: `Forgot your password?. Click here to reset: https://${config.hostname}/resettoken/${token}`,
+    text: `Click to reset password: https://${config.hostname}/resettoken/${token}`,
   });
 });