JS: address some comments

javascript/ql/src/Security/CWE-094/MethodNameInjection.qhelp

@@ -15,6 +15,7 @@ in its <code>constructor</code> property.
 <recommendation>
 <p>
 Avoid invoking user-controlled methods on the global object or on any function object.
+Whitelist the permitted method names or change the type of object the methods are stored on.
 </p>
 </recommendation>
 

javascript/ql/src/Security/CWE-094/MethodNameInjection.ql

@@ -1,8 +1,8 @@
 /**
  * @name Method name injection
- * @description Invoking user-controlled methods on a arbitrary objects can lead to remote code execution.
+ * @description Invoking user-controlled methods on arbitrary objects can lead to remote code execution.
  * @kind path-problem
- * @problem.severity warning
+ * @problem.severity error
  * @precision high
  * @id js/method-name-injection
  * @tags security