From ed74e0aad140b5988492de4e029c22c87fb1aeae Mon Sep 17 00:00:00 2001
From: Nick Rolfe <nickrolfe@github.com>
Date: Fri, 30 Sep 2022 10:31:45 +0100
Subject: [PATCH] JS/Python/Ruby: s/a HTML/an HTML/

---
 javascript/ql/lib/semmle/javascript/JSX.qll   |  2 +-
 .../javascript/security/BadTagFilterQuery.qll |  2 +-
 .../security/IncompleteBlacklistSanitizer.qll |  2 +-
 ...ompleteMultiCharacterSanitizationQuery.qll | 10 +--
 ...ImproperCodeSanitizationCustomizations.qll |  2 +-
 .../UnsafeJQueryPluginCustomizations.qll      | 10 +--
 .../javascript/security/dataflow/Xss.qll      |  2 +-
 .../CWE-079/UnsafeHtmlConstruction.qhelp      |  2 +-
 .../CWE-094/ImproperCodeSanitization.qhelp    |  2 +-
 .../BadTagFilter/BadTagFilter.expected        |  2 +-
 ...ompleteMultiCharacterSanitization.expected | 66 +++++++++----------
 .../python/security/BadTagFilterQuery.qll     |  2 +-
 .../BadTagFilter.expected                     |  2 +-
 .../ruby/security/BadTagFilterQuery.qll       |  2 +-
 ...ompleteMultiCharacterSanitizationQuery.qll | 10 +--
 .../IncompleteMultiCharacterSanitization.ql   |  6 +-
 16 files changed, 62 insertions(+), 62 deletions(-)

diff --git a/javascript/ql/lib/semmle/javascript/JSX.qll b/javascript/ql/lib/semmle/javascript/JSX.qll
index f89f02abb54..9343d1f4f5c 100644
--- a/javascript/ql/lib/semmle/javascript/JSX.qll
+++ b/javascript/ql/lib/semmle/javascript/JSX.qll
@@ -70,7 +70,7 @@ class JsxElement extends JsxNode {
   override string getAPrimaryQlClass() { result = "JsxElement" }
 
   /**
-   * Holds if this JSX element is a HTML element.
+   * Holds if this JSX element is an HTML element.
    * That is, the name starts with a lowercase letter.
    */
   predicate isHtmlElement() { getName().regexpMatch("[a-z].*") }
diff --git a/javascript/ql/lib/semmle/javascript/security/BadTagFilterQuery.qll b/javascript/ql/lib/semmle/javascript/security/BadTagFilterQuery.qll
index d3ed011b739..ed06bfbe798 100644
--- a/javascript/ql/lib/semmle/javascript/security/BadTagFilterQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/BadTagFilterQuery.qll
@@ -87,7 +87,7 @@ predicate isBadRegexpFilter(HtmlMatchingRegExp regexp, string msg) {
     not regexp.fillsCaptureGroup("<script>", group) and
     msg =
       "This regular expression only parses --> (capture group " + group +
-        ") and not --!> as a HTML comment end tag."
+        ") and not --!> as an HTML comment end tag."
   )
   or
   regexp.matches("<!-- foo -->") and
diff --git a/javascript/ql/lib/semmle/javascript/security/IncompleteBlacklistSanitizer.qll b/javascript/ql/lib/semmle/javascript/security/IncompleteBlacklistSanitizer.qll
index 5de56e762a2..7f84128af23 100644
--- a/javascript/ql/lib/semmle/javascript/security/IncompleteBlacklistSanitizer.qll
+++ b/javascript/ql/lib/semmle/javascript/security/IncompleteBlacklistSanitizer.qll
@@ -80,7 +80,7 @@ module HtmlSanitization {
   }
 
   /**
-   * Gets a HTML-relevant character that is replaced by `chain`.
+   * Gets an HTML-relevant character that is replaced by `chain`.
    */
   private string getALikelyReplacedCharacter(StringReplaceCallSequence chain) {
     result = "\"" and
diff --git a/javascript/ql/lib/semmle/javascript/security/IncompleteMultiCharacterSanitizationQuery.qll b/javascript/ql/lib/semmle/javascript/security/IncompleteMultiCharacterSanitizationQuery.qll
index 48d1ffea2f7..10f07b39725 100644
--- a/javascript/ql/lib/semmle/javascript/security/IncompleteMultiCharacterSanitizationQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/IncompleteMultiCharacterSanitizationQuery.qll
@@ -35,7 +35,7 @@ private DangerousPrefixSubstring getADangerousMatchedChar(EmptyReplaceRegExpTerm
   or
   result = t.getAMatchedString()
   or
-  // A substring matched by some character class. This is only used to match the "word" part of a HTML tag (e.g. "iframe" in "<iframe").
+  // A substring matched by some character class. This is only used to match the "word" part of an HTML tag (e.g. "iframe" in "<iframe").
   exists(NfaUtils::CharacterClass cc |
     cc = NfaUtils::getCanonicalCharClass(t) and
     cc.matches(result) and
@@ -101,12 +101,12 @@ private class RepetitionMatcher extends EmptyReplaceRegExpTerm {
 predicate matchesDangerousPrefix(EmptyReplaceRegExpTerm t, string prefix, string kind) {
   prefix = getADangerousMatchedPrefix(t) and
   (
-    kind = "path injection" and
+    kind = "a path injection vulnerability" and
     prefix = ["/..", "../"] and
     // If the regex is matching explicit path components, it is unlikely that it's being used as a sanitizer.
     not t.getSuccessor*().getAMatchedString().regexpMatch("(?is).*[a-z0-9_-].*")
     or
-    kind = "HTML element injection" and
+    kind = "an HTML element injection vulnerability" and
     (
       // comments
       prefix = "<!--" and
@@ -119,7 +119,7 @@ predicate matchesDangerousPrefix(EmptyReplaceRegExpTerm t, string prefix, string
     )
   )
   or
-  kind = "HTML attribute injection" and
+  kind = "an HTML attribute injection vulnerability" and
   prefix =
     [
       // ordinary event handler prefix
@@ -197,6 +197,6 @@ query predicate problems(
 ) {
   exists(string kind |
     isResult(replace, dangerous, prefix, kind) and
-    msg = "This string may still contain $@, which may cause a " + kind + " vulnerability."
+    msg = "This string may still contain $@, which may cause " + kind + "."
   )
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationCustomizations.qll
index fc08feeb162..d6e6baa71bf 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationCustomizations.qll
@@ -26,7 +26,7 @@ module ImproperCodeSanitization {
   abstract class Sanitizer extends DataFlow::Node { }
 
   /**
-   * A call to a HTML sanitizer seen as a source for improper code sanitization
+   * A call to an HTML sanitizer seen as a source for improper code sanitization
    */
   class HtmlSanitizerCallAsSource extends Source {
     HtmlSanitizerCallAsSource() { this instanceof HtmlSanitizerCall }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginCustomizations.qll
index 39ef06a5944..19d5988ae80 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginCustomizations.qll
@@ -32,7 +32,7 @@ module UnsafeJQueryPlugin {
   abstract class Sanitizer extends DataFlow::Node { }
 
   /**
-   * An argument that may act as a HTML fragment rather than a CSS selector, as a sink for remote unsafe jQuery plugins.
+   * An argument that may act as an HTML fragment rather than a CSS selector, as a sink for remote unsafe jQuery plugins.
    */
   class AmbiguousHtmlOrSelectorArgument extends DataFlow::Node,
     DomBasedXss::JQueryHtmlOrSelectorArgument {
@@ -173,7 +173,7 @@ module UnsafeJQueryPlugin {
   }
 
   /**
-   * An argument that may act as a HTML fragment rather than a CSS selector, as a sink for remote unsafe jQuery plugins.
+   * An argument that may act as an HTML fragment rather than a CSS selector, as a sink for remote unsafe jQuery plugins.
    */
   class AmbiguousHtmlOrSelectorArgumentAsSink extends Sink {
     AmbiguousHtmlOrSelectorArgumentAsSink() {
@@ -182,7 +182,7 @@ module UnsafeJQueryPlugin {
   }
 
   /**
-   * A hint that a value is expected to be treated as a HTML fragment later.
+   * A hint that a value is expected to be treated as an HTML fragment later.
    */
   class IntentionalHtmlFragmentHint extends Sanitizer {
     IntentionalHtmlFragmentHint() {
@@ -191,7 +191,7 @@ module UnsafeJQueryPlugin {
   }
 
   /**
-   * Holds if there exists a jQuery plugin that likely expects `sink` to be treated as a HTML fragment.
+   * Holds if there exists a jQuery plugin that likely expects `sink` to be treated as an HTML fragment.
    */
   predicate isLikelyIntentionalHtmlSink(DataFlow::Node sink) {
     exists(
@@ -206,7 +206,7 @@ module UnsafeJQueryPlugin {
   }
 
   /**
-   * Gets a property-write that writes a HTML-like constant string to `prop`.
+   * Gets a property-write that writes an HTML-like constant string to `prop`.
    */
   pragma[noinline]
   private DataFlow::PropWrite getALikelyHtmlWrite(string prop) {
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/Xss.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/Xss.qll
index 4c68f20738a..216243fb8a5 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/Xss.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/Xss.qll
@@ -65,7 +65,7 @@ module Shared {
   private import semmle.javascript.security.dataflow.IncompleteHtmlAttributeSanitizationCustomizations::IncompleteHtmlAttributeSanitization as IncompleteHtml
 
   /**
-   * A guard that checks if a string can contain quotes, which is a guard for strings that are inside a HTML attribute.
+   * A guard that checks if a string can contain quotes, which is a guard for strings that are inside an HTML attribute.
    */
   abstract class QuoteGuard extends TaintTracking::SanitizerGuardNode, StringOps::Includes {
     QuoteGuard() {
diff --git a/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp b/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp
index 0bc3bd53a0d..4ab53d1964f 100644
--- a/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp
+++ b/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp
@@ -44,7 +44,7 @@
 	<sample src="examples/unsafe-html-construction_safe.js" />
 	
 	<p>
-		Alternatively, a HTML sanitizer can be used to remove unsafe content.
+		Alternatively, an HTML sanitizer can be used to remove unsafe content.
 	</p>
 
 	<sample src="examples/unsafe-html-construction_sanitizer.js" />
diff --git a/javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.qhelp b/javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.qhelp
index c15ac66abff..d4d474687f1 100644
--- a/javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.qhelp
+++ b/javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.qhelp
@@ -12,7 +12,7 @@
 
   <recommendation>
     <p>
-      If using <code>JSON.stringify</code> or a HTML sanitizer to sanitize a string inserted into 
+      If using <code>JSON.stringify</code> or an HTML sanitizer to sanitize a string inserted into 
       JavaScript code, then make sure to perform additional sanitization or remove potentially
       dangerous characters. 
     </p>
diff --git a/javascript/ql/test/query-tests/Security/CWE-116/BadTagFilter/BadTagFilter.expected b/javascript/ql/test/query-tests/Security/CWE-116/BadTagFilter/BadTagFilter.expected
index 94a16f704fc..3d1c86b7b04 100644
--- a/javascript/ql/test/query-tests/Security/CWE-116/BadTagFilter/BadTagFilter.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-116/BadTagFilter/BadTagFilter.expected
@@ -13,5 +13,5 @@
 | tst.js:18:6:18:48 | <(?:!--([\\S\|\\s]*?)-->)\|([^\\/\\s>]+)[\\S\\s]*?> | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 1 and comments ending with --!> are matched with capture group 2. |
 | tst.js:19:6:19:147 | <(?:(?:\\/([^>]+)>)\|(?:!--([\\S\|\\s]*?)-->)\|(?:([^\\/\\s>]+)((?:\\s+[\\w\\-:.]+(?:\\s*=\\s*?(?:(?:"[^"]*")\|(?:'[^']*')\|[^\\s"'\\/>]+))?)*)[\\S\\s]*?(\\/?)>)) | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 2 and comments ending with --!> are matched with capture group 3, 4. |
 | tst.js:20:3:20:57 | (<[a-z\\/!$]("[^"]*"\|'[^']*'\|[^'">])*>\|<!(--.*?--\\s*)+>) | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 3 and comments ending with --!> are matched with capture group 1. |
-| tst.js:21:6:21:249 | <(?:(?:!--([\\w\\W]*?)-->)\|(?:!\\[CDATA\\[([\\w\\W]*?)\\]\\]>)\|(?:!DOCTYPE([\\w\\W]*?)>)\|(?:\\?([^\\s\\/<>]+) ?([\\w\\W]*?)[?/]>)\|(?:\\/([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)>)\|(?:([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)((?:\\s+[^"'>]+(?:(?:"[^"]*")\|(?:'[^']*')\|[^>]*))*\|\\/\|\\s+)>)) | This regular expression only parses --> (capture group 1) and not --!> as a HTML comment end tag. |
+| tst.js:21:6:21:249 | <(?:(?:!--([\\w\\W]*?)-->)\|(?:!\\[CDATA\\[([\\w\\W]*?)\\]\\]>)\|(?:!DOCTYPE([\\w\\W]*?)>)\|(?:\\?([^\\s\\/<>]+) ?([\\w\\W]*?)[?/]>)\|(?:\\/([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)>)\|(?:([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)((?:\\s+[^"'>]+(?:(?:"[^"]*")\|(?:'[^']*')\|[^>]*))*\|\\/\|\\s+)>)) | This regular expression only parses --> (capture group 1) and not --!> as an HTML comment end tag. |
 | tst.js:22:6:22:33 | <!--([\\w\\W]*?)-->\|<([^>]*?)> | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 1 and comments ending with --!> are matched with capture group 2. |
diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteMultiCharacterSanitization.expected b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteMultiCharacterSanitization.expected
index 4cfa0c0ac66..c8629c70615 100644
--- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteMultiCharacterSanitization.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteMultiCharacterSanitization.expected
@@ -1,39 +1,39 @@
-| tst-multi-character-sanitization.js:3:13:3:57 | content ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:3:30:3:30 | < | <script |
-| tst-multi-character-sanitization.js:4:13:4:47 | content ... /g, "") | This string may still contain $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:4:30:4:40 |  on\\w+=".*" | on |
-| tst-multi-character-sanitization.js:5:13:5:49 | content ... /g, "") | This string may still contain $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:5:30:5:42 |  on\\w+=\\'.*\\' | on |
-| tst-multi-character-sanitization.js:9:13:9:47 | content ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:9:30:9:30 | < | <script |
-| tst-multi-character-sanitization.js:10:13:10:49 | content ... /g, "") | This string may still contain $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:10:30:10:42 | .on\\w+=.*".*" | on |
-| tst-multi-character-sanitization.js:11:13:11:51 | content ... /g, "") | This string may still contain $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:11:30:11:44 | .on\\w+=.*\\'.*\\' | on |
-| tst-multi-character-sanitization.js:19:3:19:35 | respons ... pt, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:18:18:18:24 | <script | <script |
-| tst-multi-character-sanitization.js:25:10:25:40 | text.re ... /g, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:25:24:25:27 | <!-- | <!-- |
+| tst-multi-character-sanitization.js:3:13:3:57 | content ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:3:30:3:30 | < | <script |
+| tst-multi-character-sanitization.js:4:13:4:47 | content ... /g, "") | This string may still contain $@, which may cause an HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:4:30:4:40 |  on\\w+=".*" | on |
+| tst-multi-character-sanitization.js:5:13:5:49 | content ... /g, "") | This string may still contain $@, which may cause an HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:5:30:5:42 |  on\\w+=\\'.*\\' | on |
+| tst-multi-character-sanitization.js:9:13:9:47 | content ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:9:30:9:30 | < | <script |
+| tst-multi-character-sanitization.js:10:13:10:49 | content ... /g, "") | This string may still contain $@, which may cause an HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:10:30:10:42 | .on\\w+=.*".*" | on |
+| tst-multi-character-sanitization.js:11:13:11:51 | content ... /g, "") | This string may still contain $@, which may cause an HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:11:30:11:44 | .on\\w+=.*\\'.*\\' | on |
+| tst-multi-character-sanitization.js:19:3:19:35 | respons ... pt, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:18:18:18:24 | <script | <script |
+| tst-multi-character-sanitization.js:25:10:25:40 | text.re ... /g, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:25:24:25:27 | <!-- | <!-- |
 | tst-multi-character-sanitization.js:49:13:49:43 | req.url ... EL, "") | This string may still contain $@, which may cause a path injection vulnerability. | tst-multi-character-sanitization.js:48:22:48:23 | \\/ | /.. |
 | tst-multi-character-sanitization.js:49:13:49:43 | req.url ... EL, "") | This string may still contain $@, which may cause a path injection vulnerability. | tst-multi-character-sanitization.js:48:26:48:27 | \\. | ../ |
-| tst-multi-character-sanitization.js:64:7:64:73 | x.repla ... /g, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:64:18:64:24 | <script | <script |
-| tst-multi-character-sanitization.js:66:7:66:56 | x.repla ... /g, "") | This string may still contain $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:66:18:66:49 | (\\/\|\\s)on\\w+=(\\'\|")?[^"]*(\\'\|")? | on |
-| tst-multi-character-sanitization.js:75:7:75:37 | x.repla ... gm, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:75:18:75:21 | <!-- | <!-- |
-| tst-multi-character-sanitization.js:76:7:76:35 | x.repla ... +/, "") | This string may still contain $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:76:18:76:29 | \\sng-[a-z-]+ | ng- |
-| tst-multi-character-sanitization.js:77:7:77:36 | x.repla ... /g, "") | This string may still contain $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:77:18:77:29 | \\sng-[a-z-]+ | ng- |
-| tst-multi-character-sanitization.js:81:7:81:58 | x.repla ... /g, "") | This string may still contain $@, which may cause a HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:81:36:81:39 | only | on |
-| tst-multi-character-sanitization.js:81:7:81:58 | x.repla ... /g, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:81:18:81:24 | <script | <script |
-| tst-multi-character-sanitization.js:83:7:83:63 | x.repla ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:83:18:83:21 | <!-- | <!-- |
+| tst-multi-character-sanitization.js:64:7:64:73 | x.repla ... /g, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:64:18:64:24 | <script | <script |
+| tst-multi-character-sanitization.js:66:7:66:56 | x.repla ... /g, "") | This string may still contain $@, which may cause an HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:66:18:66:49 | (\\/\|\\s)on\\w+=(\\'\|")?[^"]*(\\'\|")? | on |
+| tst-multi-character-sanitization.js:75:7:75:37 | x.repla ... gm, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:75:18:75:21 | <!-- | <!-- |
+| tst-multi-character-sanitization.js:76:7:76:35 | x.repla ... +/, "") | This string may still contain $@, which may cause an HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:76:18:76:29 | \\sng-[a-z-]+ | ng- |
+| tst-multi-character-sanitization.js:77:7:77:36 | x.repla ... /g, "") | This string may still contain $@, which may cause an HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:77:18:77:29 | \\sng-[a-z-]+ | ng- |
+| tst-multi-character-sanitization.js:81:7:81:58 | x.repla ... /g, "") | This string may still contain $@, which may cause an HTML attribute injection vulnerability. | tst-multi-character-sanitization.js:81:36:81:39 | only | on |
+| tst-multi-character-sanitization.js:81:7:81:58 | x.repla ... /g, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:81:18:81:24 | <script | <script |
+| tst-multi-character-sanitization.js:83:7:83:63 | x.repla ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:83:18:83:21 | <!-- | <!-- |
 | tst-multi-character-sanitization.js:85:7:85:48 | x.repla ... /g, "") | This string may still contain $@, which may cause a path injection vulnerability. | tst-multi-character-sanitization.js:85:18:85:21 | \\x2E | ../ |
-| tst-multi-character-sanitization.js:87:7:87:47 | x.repla ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:87:18:87:24 | <script | <script |
-| tst-multi-character-sanitization.js:92:7:96:4 | x.repla ... ";\\n  }) | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:92:18:92:24 | <script | <script |
+| tst-multi-character-sanitization.js:87:7:87:47 | x.repla ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:87:18:87:24 | <script | <script |
+| tst-multi-character-sanitization.js:92:7:96:4 | x.repla ... ";\\n  }) | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:92:18:92:24 | <script | <script |
 | tst-multi-character-sanitization.js:101:7:101:30 | x.repla ... /g, "") | This string may still contain $@, which may cause a path injection vulnerability. | tst-multi-character-sanitization.js:101:18:101:19 | \\. | ../ |
 | tst-multi-character-sanitization.js:102:7:102:30 | x.repla ... /g, "") | This string may still contain $@, which may cause a path injection vulnerability. | tst-multi-character-sanitization.js:102:18:102:19 | \\/ | /.. |
-| tst-multi-character-sanitization.js:104:7:104:58 | x.repla ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:104:18:104:24 | <script | <script |
-| tst-multi-character-sanitization.js:106:7:106:64 | x.repla ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:106:18:106:18 | < | <script |
-| tst-multi-character-sanitization.js:107:7:107:62 | x.repla ... /g, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:107:18:107:19 | \\< | <script |
-| tst-multi-character-sanitization.js:108:7:108:75 | x.repla ... gm, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:108:18:108:18 | < | <script |
-| tst-multi-character-sanitization.js:109:7:109:58 | x.repla ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:109:18:109:24 | <script | <script |
-| tst-multi-character-sanitization.js:110:7:110:50 | x.repla ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:110:18:110:24 | <script | <script |
-| tst-multi-character-sanitization.js:111:7:111:32 | x.repla ... /g, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:111:20:111:23 | <!-- | <!-- |
+| tst-multi-character-sanitization.js:104:7:104:58 | x.repla ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:104:18:104:24 | <script | <script |
+| tst-multi-character-sanitization.js:106:7:106:64 | x.repla ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:106:18:106:18 | < | <script |
+| tst-multi-character-sanitization.js:107:7:107:62 | x.repla ... /g, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:107:18:107:19 | \\< | <script |
+| tst-multi-character-sanitization.js:108:7:108:75 | x.repla ... gm, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:108:18:108:18 | < | <script |
+| tst-multi-character-sanitization.js:109:7:109:58 | x.repla ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:109:18:109:24 | <script | <script |
+| tst-multi-character-sanitization.js:110:7:110:50 | x.repla ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:110:18:110:24 | <script | <script |
+| tst-multi-character-sanitization.js:111:7:111:32 | x.repla ... /g, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:111:20:111:23 | <!-- | <!-- |
 | tst-multi-character-sanitization.js:126:7:129:34 | x\\n    . ... //, "") | This string may still contain $@, which may cause a path injection vulnerability. | tst-multi-character-sanitization.js:129:21:129:22 | \\/ | /.. |
-| tst-multi-character-sanitization.js:135:2:135:44 | content ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:135:19:135:25 | <script | <script |
-| tst-multi-character-sanitization.js:136:2:136:46 | content ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:136:19:136:19 | < | <script |
-| tst-multi-character-sanitization.js:137:2:137:48 | content ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:137:19:137:20 | .+ | <script |
-| tst-multi-character-sanitization.js:138:2:138:48 | content ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:138:21:138:21 | < | <script |
-| tst-multi-character-sanitization.js:142:13:142:62 | content ... gi, "") | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:142:30:142:36 | <script | <script |
-| tst-multi-character-sanitization.js:143:13:143:56 | content ... /g, '') | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:143:30:143:30 | < | <script |
-| tst-multi-character-sanitization.js:144:13:144:91 | content ... /g, '') | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:144:30:144:30 | < | <script |
-| tst-multi-character-sanitization.js:145:13:145:90 | content ... /g, '') | This string may still contain $@, which may cause a HTML element injection vulnerability. | tst-multi-character-sanitization.js:145:30:145:30 | < | <script |
+| tst-multi-character-sanitization.js:135:2:135:44 | content ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:135:19:135:25 | <script | <script |
+| tst-multi-character-sanitization.js:136:2:136:46 | content ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:136:19:136:19 | < | <script |
+| tst-multi-character-sanitization.js:137:2:137:48 | content ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:137:19:137:20 | .+ | <script |
+| tst-multi-character-sanitization.js:138:2:138:48 | content ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:138:21:138:21 | < | <script |
+| tst-multi-character-sanitization.js:142:13:142:62 | content ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:142:30:142:36 | <script | <script |
+| tst-multi-character-sanitization.js:143:13:143:56 | content ... /g, '') | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:143:30:143:30 | < | <script |
+| tst-multi-character-sanitization.js:144:13:144:91 | content ... /g, '') | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:144:30:144:30 | < | <script |
+| tst-multi-character-sanitization.js:145:13:145:90 | content ... /g, '') | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:145:30:145:30 | < | <script |
diff --git a/python/ql/lib/semmle/python/security/BadTagFilterQuery.qll b/python/ql/lib/semmle/python/security/BadTagFilterQuery.qll
index d3ed011b739..ed06bfbe798 100644
--- a/python/ql/lib/semmle/python/security/BadTagFilterQuery.qll
+++ b/python/ql/lib/semmle/python/security/BadTagFilterQuery.qll
@@ -87,7 +87,7 @@ predicate isBadRegexpFilter(HtmlMatchingRegExp regexp, string msg) {
     not regexp.fillsCaptureGroup("<script>", group) and
     msg =
       "This regular expression only parses --> (capture group " + group +
-        ") and not --!> as a HTML comment end tag."
+        ") and not --!> as an HTML comment end tag."
   )
   or
   regexp.matches("<!-- foo -->") and
diff --git a/python/ql/test/query-tests/Security/CWE-116-BadTagFilter/BadTagFilter.expected b/python/ql/test/query-tests/Security/CWE-116-BadTagFilter/BadTagFilter.expected
index aef10436714..001d752ebab 100644
--- a/python/ql/test/query-tests/Security/CWE-116-BadTagFilter/BadTagFilter.expected
+++ b/python/ql/test/query-tests/Security/CWE-116-BadTagFilter/BadTagFilter.expected
@@ -13,4 +13,4 @@
 | tst.py:20:20:20:62 | <(?:!--([\\S\|\\s]*?)-->)\|([^\\/\\s>]+)[\\S\\s]*?> | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 1 and comments ending with --!> are matched with capture group 2. |
 | tst.py:21:20:21:161 | <(?:(?:\\/([^>]+)>)\|(?:!--([\\S\|\\s]*?)-->)\|(?:([^\\/\\s>]+)((?:\\s+[\\w\\-:.]+(?:\\s*=\\s*?(?:(?:"[^"]*")\|(?:'[^']*')\|[^\\s"'\\/>]+))?)*)[\\S\\s]*?(\\/?)>)) | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 2 and comments ending with --!> are matched with capture group 3, 4. |
 | tst.py:22:17:22:71 | (<[a-z\\/!$]("[^"]*"\|'[^']*'\|[^'">])*>\|<!(--.*?--\\s*)+>) | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 3 and comments ending with --!> are matched with capture group 1. |
-| tst.py:23:20:23:263 | <(?:(?:!--([\\w\\W]*?)-->)\|(?:!\\[CDATA\\[([\\w\\W]*?)\\]\\]>)\|(?:!DOCTYPE([\\w\\W]*?)>)\|(?:\\?([^\\s\\/<>]+) ?([\\w\\W]*?)[?/]>)\|(?:\\/([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)>)\|(?:([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)((?:\\s+[^"'>]+(?:(?:"[^"]*")\|(?:'[^']*')\|[^>]*))*\|\\/\|\\s+)>)) | This regular expression only parses --> (capture group 1) and not --!> as a HTML comment end tag. |
+| tst.py:23:20:23:263 | <(?:(?:!--([\\w\\W]*?)-->)\|(?:!\\[CDATA\\[([\\w\\W]*?)\\]\\]>)\|(?:!DOCTYPE([\\w\\W]*?)>)\|(?:\\?([^\\s\\/<>]+) ?([\\w\\W]*?)[?/]>)\|(?:\\/([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)>)\|(?:([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)((?:\\s+[^"'>]+(?:(?:"[^"]*")\|(?:'[^']*')\|[^>]*))*\|\\/\|\\s+)>)) | This regular expression only parses --> (capture group 1) and not --!> as an HTML comment end tag. |
diff --git a/ruby/ql/lib/codeql/ruby/security/BadTagFilterQuery.qll b/ruby/ql/lib/codeql/ruby/security/BadTagFilterQuery.qll
index d3ed011b739..ed06bfbe798 100644
--- a/ruby/ql/lib/codeql/ruby/security/BadTagFilterQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/BadTagFilterQuery.qll
@@ -87,7 +87,7 @@ predicate isBadRegexpFilter(HtmlMatchingRegExp regexp, string msg) {
     not regexp.fillsCaptureGroup("<script>", group) and
     msg =
       "This regular expression only parses --> (capture group " + group +
-        ") and not --!> as a HTML comment end tag."
+        ") and not --!> as an HTML comment end tag."
   )
   or
   regexp.matches("<!-- foo -->") and
diff --git a/ruby/ql/lib/codeql/ruby/security/IncompleteMultiCharacterSanitizationQuery.qll b/ruby/ql/lib/codeql/ruby/security/IncompleteMultiCharacterSanitizationQuery.qll
index 48d1ffea2f7..10f07b39725 100644
--- a/ruby/ql/lib/codeql/ruby/security/IncompleteMultiCharacterSanitizationQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/IncompleteMultiCharacterSanitizationQuery.qll
@@ -35,7 +35,7 @@ private DangerousPrefixSubstring getADangerousMatchedChar(EmptyReplaceRegExpTerm
   or
   result = t.getAMatchedString()
   or
-  // A substring matched by some character class. This is only used to match the "word" part of a HTML tag (e.g. "iframe" in "<iframe").
+  // A substring matched by some character class. This is only used to match the "word" part of an HTML tag (e.g. "iframe" in "<iframe").
   exists(NfaUtils::CharacterClass cc |
     cc = NfaUtils::getCanonicalCharClass(t) and
     cc.matches(result) and
@@ -101,12 +101,12 @@ private class RepetitionMatcher extends EmptyReplaceRegExpTerm {
 predicate matchesDangerousPrefix(EmptyReplaceRegExpTerm t, string prefix, string kind) {
   prefix = getADangerousMatchedPrefix(t) and
   (
-    kind = "path injection" and
+    kind = "a path injection vulnerability" and
     prefix = ["/..", "../"] and
     // If the regex is matching explicit path components, it is unlikely that it's being used as a sanitizer.
     not t.getSuccessor*().getAMatchedString().regexpMatch("(?is).*[a-z0-9_-].*")
     or
-    kind = "HTML element injection" and
+    kind = "an HTML element injection vulnerability" and
     (
       // comments
       prefix = "<!--" and
@@ -119,7 +119,7 @@ predicate matchesDangerousPrefix(EmptyReplaceRegExpTerm t, string prefix, string
     )
   )
   or
-  kind = "HTML attribute injection" and
+  kind = "an HTML attribute injection vulnerability" and
   prefix =
     [
       // ordinary event handler prefix
@@ -197,6 +197,6 @@ query predicate problems(
 ) {
   exists(string kind |
     isResult(replace, dangerous, prefix, kind) and
-    msg = "This string may still contain $@, which may cause a " + kind + " vulnerability."
+    msg = "This string may still contain $@, which may cause " + kind + "."
   )
 }
diff --git a/ruby/ql/test/query-tests/security/cwe-116/IncompleteMultiCharacterSanitization/IncompleteMultiCharacterSanitization.ql b/ruby/ql/test/query-tests/security/cwe-116/IncompleteMultiCharacterSanitization/IncompleteMultiCharacterSanitization.ql
index f635cdc6036..07b09ffddef 100644
--- a/ruby/ql/test/query-tests/security/cwe-116/IncompleteMultiCharacterSanitization/IncompleteMultiCharacterSanitization.ql
+++ b/ruby/ql/test/query-tests/security/cwe-116/IncompleteMultiCharacterSanitization/IncompleteMultiCharacterSanitization.ql
@@ -31,9 +31,9 @@ predicate hasResult(Location location, string element, string value) {
 
 bindingset[kind]
 string shortKind(string kind) {
-  kind = "HTML element injection" and result = "html"
+  kind = "an HTML element injection vulnerability" and result = "html"
   or
-  kind = "path injection" and result = "path"
+  kind = "a path injection vulnerability" and result = "path"
   or
-  kind = "HTML attribute injection" and result = "attr"
+  kind = "an HTML attribute injection vulnerability" and result = "attr"
 }