diff --git a/java/ql/src/Security/CWE/CWE-918/RequestForgery.qhelp b/java/ql/src/Security/CWE/CWE-918/RequestForgery.qhelp
index 0a34747413d..22271ee4feb 100644
--- a/java/ql/src/Security/CWE/CWE-918/RequestForgery.qhelp
+++ b/java/ql/src/Security/CWE/CWE-918/RequestForgery.qhelp
@@ -5,22 +5,22 @@
 
 
 <overview>
-<p>Directly incorporating user input into a HTTP request without validating the input
+<p>Directly incorporating user input into an HTTP request without validating the input
 can facilitate Server Side Request Forgery (SSRF) attacks. In these attacks, the server
-may be tricked into making a request and interacting with an attacker-controlled server. 
+may be tricked into making a request and interacting with an attacker-controlled server.
 </p>
 
 </overview>
 <recommendation>
 
 <p>To guard against SSRF attacks, it is advisable to avoid putting user input
-directly into the request URL. Instead, maintain a list of authorized
+directly into a request URL. Instead, maintain a list of authorized
 URLs on the server; then choose from that list based on the user input provided.</p>
 
 </recommendation>
 <example>
 
-<p>The following example shows an HTTP request parameter being used directly in a forming a
+<p>The following example shows an HTTP request parameter being used directly to form a
 new request without validating the input, which facilitates SSRF attacks.
 It also shows how to remedy the problem by validating the user input against a known fixed string.
 </p>