diff --git a/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.qhelp b/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.qhelp
index 96266280146..b332c44438d 100644
--- a/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.qhelp
+++ b/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.qhelp
@@ -5,7 +5,7 @@
 <p>
 Using the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens.
 A malicious user can send an HTTP request to the targeted web site, but with a Host header that refers to his own web site.
-This means the emails will be sent out to potential victims, originating from a server they trust but with
+This means the emails will be sent out to potential victims, originating from a server they trust, but with
 links leading to a malicious web site.
 </p>
 <p>
diff --git a/javascript/ql/src/Security/CWE-640/examples/HostHeaderPoisoningInEmailGeneration.js b/javascript/ql/src/Security/CWE-640/examples/HostHeaderPoisoningInEmailGeneration.js
index d558921864c..1d55f00796a 100644
--- a/javascript/ql/src/Security/CWE-640/examples/HostHeaderPoisoningInEmailGeneration.js
+++ b/javascript/ql/src/Security/CWE-640/examples/HostHeaderPoisoningInEmailGeneration.js
@@ -14,6 +14,6 @@ app.post('/resetpass', (req, res) => {
     from: 'webmaster@example.com',
     to: email,
     subject: 'Forgot password',
-    text: `Forgot your password?. Click here to reset: https://${req.host}/resettoken/${token}`,
+    text: `Click to reset password: https://${req.host}/resettoken/${token}`,
   });
 });
diff --git a/javascript/ql/src/Security/CWE-640/examples/HostHeaderPoisoningInEmailGenerationGood.js b/javascript/ql/src/Security/CWE-640/examples/HostHeaderPoisoningInEmailGenerationGood.js
index 1d4453df053..e1b3aeed46a 100644
--- a/javascript/ql/src/Security/CWE-640/examples/HostHeaderPoisoningInEmailGenerationGood.js
+++ b/javascript/ql/src/Security/CWE-640/examples/HostHeaderPoisoningInEmailGenerationGood.js
@@ -14,6 +14,6 @@ app.post('/resetpass', (req, res) => {
     from: 'webmaster@example.com',
     to: email,
     subject: 'Forgot password',
-    text: `Forgot your password?. Click here to reset: https://${config.hostname}/resettoken/${token}`,
+    text: `Click to reset password: https://${config.hostname}/resettoken/${token}`,
   });
 });