fix typos and update docs

javascript/ql/lib/semmle/javascript/frameworks/CookieLibraries.qll

@@ -24,12 +24,11 @@ module CookieWrites {
 
     /**
      * Holds if the cookie is likely an authentication cookie or otherwise sensitive.
-     * Can never hold for client-side cookies.
      */
     abstract predicate isSensitive();
 
     /**
-     * Holds if the cookie write happens on a server, that is `httpOnly` flag is relevant.
+     * Holds if the cookie write happens on a server, i.e. the `httpOnly` flag is relevant.
      */
     predicate isServerSide() {
       any() // holds by default. Client-side cookie writes should extend ClientSideCookieWrite.

javascript/ql/src/Security/CWE-1004/ClientExposedCookie.qhelp

@@ -6,7 +6,7 @@
 <overview>
 <p>
 Authentication cookies stored by a server can be accessed by a client if the <code>httpOnly</code> flag is not set.
-<p>
+</p>
 <p>
 An attacker that manages a cross-site scripting (XSS) attack can read the cookie and hijack the session.
 </p>
@@ -18,8 +18,6 @@ Set the <code>httpOnly</code> flag on all cookies that are not needed by the cli
 </p>
 </recommendation>
 
-<references>
-
 <example>
 <p>
 The following example stores an authentication token in a cookie that can 

javascript/ql/src/Security/CWE-614/ClearTextCookie.qhelp

@@ -22,12 +22,12 @@ attribute on the cookie.
 The following example stores an authentication token in a cookie that can 
 be transmitted in clear text.
 </p>
-<sample src="examples/CleartextStorageBad.js"/>
+<sample src="examples/ClearTextCookieBad.js"/>
 <p>
 To force the cookie to be transmitted using SSL, set the <code>secure</code>
 attribute on the cookie.
 </p>
-<sample src="examples/CleartextStorageGood.js"/>
+<sample src="examples/ClearTextCookieGood.js"/>
 </example>
 
 <references>