Fix broken refs.

same-origin-policy/same-origin-policy.markdown

@@ -801,7 +801,7 @@ confidentiality property, the analyzer generates the scenario seen in
 \aosafigure[180pt]{same-origin-policy-images/fig-attack-1a.png}{Confidentiality counterexample at time 0}{500l.same-origin-policy.fig-attack-1a}
 \aosafigure[180pt]{same-origin-policy-images/fig-attack-1b.png}{Confidentiality counterexample at time 1}{500l.same-origin-policy.fig-attack-1b}
 
-This counterexample involves two steps. In the first step (\aosafigref{500l.same-origin-policy.fig-attack-1a}), `EvilScript`, executing inside `AdBanner` from `EvilDomain`, reads the content of `InboxPage`, which originates from `EmailDomain`. In the next step (\aosafigref{500l.same-origin-policy-fig-attack-1b}), `EvilScript` sends the same content (`MyInboxInfo`) to `EvilServer` by making an `XmlHtttpRequest` call. The core of the problem here is that a script executing under one domain is able to read the content of a document from another domain; as we will see in the next section, this is exactly one of the scenarios that the SOP is designed to prevent.
+This counterexample involves two steps. In the first step (\aosafigref{500l.same-origin-policy.fig-attack-1a}), `EvilScript`, executing inside `AdBanner` from `EvilDomain`, reads the content of `InboxPage`, which originates from `EmailDomain`. In the next step (\aosafigref{500l.same-origin-policy.fig-attack-1b}), `EvilScript` sends the same content (`MyInboxInfo`) to `EvilServer` by making an `XmlHtttpRequest` call. The core of the problem here is that a script executing under one domain is able to read the content of a document from another domain; as we will see in the next section, this is exactly one of the scenarios that the SOP is designed to prevent.
 
 There may be multiple counterexamples to a single assertion. Consider \aosafigref{500l.same-origin-policy.fig-attack-2}, which shows a different way in which the system may violate the confidentiality property.
 

spreadsheet/spreadsheet.markdown

@@ -42,15 +42,15 @@ The spreadsheet spans two dimensions, with _columns_ starting from **A**, and _r
 * Formula:  `=A1+C1` in **E1**, which _calculates_ to the _value_ "3920", displayed with a light blue background.
 * Empty: All cells in row **2** are currently empty.
 
-Click "3920" to set _focus_ on **E1**, revealing its formula in an _input box_ (\aosafigref{500l.spreadsheet.inputbox}):
+Click "3920" to set _focus_ on **E1**, revealing its formula in an _input box_ (\aosafigref{500l.spreadsheet.inputbox}).
 
-\aosafigure[240pt]{spreadsheet-images/02-input.png}{Input Box}{500l.spreadsheet.input}
+\aosafigure[240pt]{spreadsheet-images/02-input.png}{Input Box}{500l.spreadsheet.inputbox}
 
-Now let’s set focus on **A1** and _change_ its content to "1", causing **E1** to _recalculate_ its value to "2047" (\aosafigref{500l.spreadsheet.changed}):
+Now let’s set focus on **A1** and _change_ its content to "1", causing **E1** to _recalculate_ its value to "2047" (\aosafigref{500l.spreadsheet.changed}).
 
 \aosafigure[240pt]{spreadsheet-images/03-changed.png}{Changed Content}{500l.spreadsheet.changed}
 
-Press **ENTER** to set focus to **A2** and change its content to `=Date()`, then press **TAB**, change the content of **B2** to `=alert()`, then press **TAB** again to set focus to `C2` (\aosafigref{500l.spreadsheet.error}):
+Press **ENTER** to set focus to **A2** and change its content to `=Date()`, then press **TAB**, change the content of **B2** to `=alert()`, then press **TAB** again to set focus to `C2` (\aosafigref{500l.spreadsheet.error}).
 
 \aosafigure[240pt]{spreadsheet-images/04-error.png}{Formula Error}{500l.spreadsheet.error}
 
@@ -62,7 +62,7 @@ Now reload the page in the browser with **Ctrl-R** or **Cmd-R** to verify that t
 
 ### Progressive Enhancement
 
-Before we dive into the 99 lines of code, it’s worthwhile to disable JS in the browser, reload the page, and note the differences (\aosafigref{500l.spreadsheet.nojs}):
+Before we dive into the 99 lines of code, it’s worthwhile to disable JS in the browser, reload the page, and note the differences (\aosafigref{500l.spreadsheet.nojs}).
 
 * Instead of a large grid, only a 2x2 table remains onscreen, with a single content cell.
 * Row and column labels are replaced by `{{ row }}` and `{{ col }}`.
@@ -85,11 +85,10 @@ As shown in \aosafigref{500l.spreadsheet.nocss}, if we enable JS in the browser
 
 ## Code Walkthrough
 
-\aosafigref{500l.spreadsheet.architecture} shows the links between HTML and JS components:
+\aosafigref{500l.spreadsheet.architecture} shows the links between HTML and JS components.  In order to make sense of the diagram, let’s go through the four source code files, in the same sequence as the browser loads them.
 
 \aosafigure[240pt]{spreadsheet-images/00-architecture.png}{Architecture Diagram}{500l.spreadsheet.architecture}
 
-In order to make sense of the diagram, let’s go through the four source code files, in the same sequence as the browser loads them:
 
 * **index.html**: 19 lines
 * **main.js**: 38 lines (excluding comments and blank lines)

tex/same-origin-policy.tex

@@ -835,7 +835,7 @@
 \texttt{EvilScript}, executing inside \texttt{AdBanner} from
 \texttt{EvilDomain}, reads the content of \texttt{InboxPage}, which
 originates from \texttt{EmailDomain}. In the next step
-(\aosafigref{500l.same-origin-policy-fig-attack-1b}),
+(\aosafigref{500l.same-origin-policy.fig-attack-1b}),
 \texttt{EvilScript} sends the same content (\texttt{MyInboxInfo}) to
 \texttt{EvilServer} by making an \texttt{XmlHtttpRequest} call. The core
 of the problem here is that a script executing under one domain is able

tex/spreadsheet.tex

@@ -85,20 +85,20 @@
 \end{aosaitemize}
 
 Click ``3920'' to set \emph{focus} on \textbf{E1}, revealing its formula
-in an \emph{input box} (\aosafigref{500l.spreadsheet.inputbox}):
+in an \emph{input box} (\aosafigref{500l.spreadsheet.inputbox}).
 
-\aosafigure[240pt]{spreadsheet-images/02-input.png}{Input Box}{500l.spreadsheet.input}
+\aosafigure[240pt]{spreadsheet-images/02-input.png}{Input Box}{500l.spreadsheet.inputbox}
 
 Now let's set focus on \textbf{A1} and \emph{change} its content to
 ``1'', causing \textbf{E1} to \emph{recalculate} its value to ``2047''
-(\aosafigref{500l.spreadsheet.changed}):
+(\aosafigref{500l.spreadsheet.changed}).
 
 \aosafigure[240pt]{spreadsheet-images/03-changed.png}{Changed Content}{500l.spreadsheet.changed}
 
 Press \textbf{ENTER} to set focus to \textbf{A2} and change its content
 to \texttt{=Date()}, then press \textbf{TAB}, change the content of
 \textbf{B2} to \texttt{=alert()}, then press \textbf{TAB} again to set
-focus to \texttt{C2} (\aosafigref{500l.spreadsheet.error}):
+focus to \texttt{C2} (\aosafigref{500l.spreadsheet.error}).
 
 \aosafigure[240pt]{spreadsheet-images/04-error.png}{Formula Error}{500l.spreadsheet.error}
 
@@ -122,7 +122,7 @@
 
 Before we dive into the 99 lines of code, it's worthwhile to disable JS
 in the browser, reload the page, and note the differences
-(\aosafigref{500l.spreadsheet.nojs}):
+(\aosafigref{500l.spreadsheet.nojs}).
 
 \begin{aosaitemize}
 
@@ -171,13 +171,12 @@
 \aosasecti{Code Walkthrough}\label{code-walkthrough}
 
 \aosafigref{500l.spreadsheet.architecture} shows the links between HTML
-and JS components:
+and JS components. In order to make sense of the diagram, let's go
+through the four source code files, in the same sequence as the browser
+loads them.
 
 \aosafigure[240pt]{spreadsheet-images/00-architecture.png}{Architecture Diagram}{500l.spreadsheet.architecture}
 
-In order to make sense of the diagram, let's go through the four source
-code files, in the same sequence as the browser loads them:
-
 \begin{aosaitemize}
 
 \item