diff --git a/change-notes/1.20/analysis-python.md b/change-notes/1.20/analysis-python.md
index ed7d8e1a72a..27cb554eb8c 100644
--- a/change-notes/1.20/analysis-python.md
+++ b/change-notes/1.20/analysis-python.md
@@ -14,9 +14,9 @@ Removes false positives seen when using Python 3.6, but not when using earlier v
  | **Query**                   | **Tags**  | **Purpose**                                                        |
 |-----------------------------|-----------|--------------------------------------------------------------------|
 | Default version of SSL/TLS may be insecure (`py/insecure-default-protocol`) | security, external/cwe/cwe-327 | Finds instances where an insecure default protocol may be used. Results are shown on LGTM by default. |
-| Use of insecure SSL/TLS version (`py/insecure-protocol`) | security, external/cwe/cwe-327 | Finds instances where a known insecure protocol has been specified. Results are shown on LGTM by default. |
-| Incomplete regular expression for hostnames (`py/incomplete-hostname-regexp`) | security, external/cwe/cwe-020 | Finds instances where a hostname is incompletely sanitized due to enescaped character in a regular expression. Results are shown on LGTM by default. |
+| Incomplete regular expression for hostnames (`py/incomplete-hostname-regexp`) | security, external/cwe/cwe-020 | Finds instances where a hostname is incompletely sanitized because a regular expression contains an unescaped character. Results are shown on LGTM by default. |
 | Incomplete URL substring sanitization (`py/incomplete-url-substring-sanitization`) | security, external/cwe/cwe-020 | Finds instances where a URL is incompletely sanitized due to insufficient checks. Results are shown on LGTM by default. |
+| Use of insecure SSL/TLS version (`py/insecure-protocol`) | security, external/cwe/cwe-327 | Finds instances where a known insecure protocol has been specified. Results are shown on LGTM by default. |
 
  ## Changes to existing queries
 
diff --git a/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.qhelp b/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.qhelp
index 346923da021..b542ae252eb 100644
--- a/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.qhelp
+++ b/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.qhelp
@@ -56,9 +56,8 @@
 
         </p>
         <p>
-            This vulnerability is addressed in the <code>safe</code> check, which
-            escapes the <code>.</code> and will reject <code>wwwXexample.com</code>.
-
+            The <code>safe</code> check closes this vulnerability by escaping the <code>.</code>
+            so that URLs of the form <code>wwwXexample.com</code> are rejected.
         </p>
 
     </example>
diff --git a/python/ql/src/Security/CWE-020/examples/IncompleteUrlSubstringSanitization.py b/python/ql/src/Security/CWE-020/examples/IncompleteUrlSubstringSanitization.py
index d1f62979460..937a23f806f 100644
--- a/python/ql/src/Security/CWE-020/examples/IncompleteUrlSubstringSanitization.py
+++ b/python/ql/src/Security/CWE-020/examples/IncompleteUrlSubstringSanitization.py
@@ -3,12 +3,16 @@ from urllib.parse import urlparse
 
 app = Flask(__name__)
 
+# Not safe, as "evil-example.net/example.com" would be accepted
+
 @app.route('/some/path/bad1')
 def unsafe1(request):
     target = request.args.get('target', '')
     if "example.com" in target:
         return redirect(target)
 
+# Not safe, as "benign-looking-prefix-example.com" would be accepted
+
 @app.route('/some/path/bad2')
 def unsafe2(request):
     target = request.args.get('target', '')