Java: Documentation cleanup for setJavascriptEnabled

java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.qhelp

@@ -3,16 +3,22 @@
  "qhelp.dtd">
 <qhelp>
   <overview>
-<p>
-  Enabling JavaScript in an Android WebView allows for the running of JavaScript
-code in the context of the running application. This opens the possibility for a
-man-in-the-middle attack, where the attacker can inject arbitrary JavaScript.
-</p>
+    <p>
+      Enabling JavaScript in an Android WebView allows for the running of JavaScript
+      code in the context of the running application. This opens the possibility for
+      cross-site scripting if the attacker can inject arbitrary JavaScript.
+    </p>
 
-<p>
-  You can enable or disbale Javascript execution using
-  the <code>setJavaScriptEnabled</code> method of the settings of a WebView.
-</p>
+    <p>
+      For example, if your application's WebView allows for visitng web pages
+      which you do not trust, it is possible for an attacker to lead the user to
+      a page which loads malicious JavaScript.
+    </p>
+
+    <p>
+      You can enable or disbale Javascript execution using
+      the <code>setJavaScriptEnabled</code> method of the settings of a WebView.
+    </p>
   </overview>
 
   <recommendation>
@@ -33,13 +39,9 @@ man-in-the-middle attack, where the attacker can inject arbitrary JavaScript.
   </example>
 
   <references>
-    <li>
-      Oversecured Android Vulnerabilities Guide: <a href="https://oversecured.com/vulnerabilities#Android/Enabled_JavaScript">Enabled JavaScript</a>
-    </li>
     <li>
       Android documentation: <a href="https://developer.android.com/reference/android/webkit/WebSettings#setJavaScriptEnabled(boolean)">setJavaScriptEnabled</a>
     </li>
-
   </references>
 
 </qhelp>