diff --git a/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.qhelp b/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.qhelp
index 0806201ce0e..1cfc41343d9 100644
--- a/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.qhelp
+++ b/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.qhelp
@@ -8,7 +8,7 @@
 		Dynamically constructing a shell command with inputs from exported 
 		functions, may inadvertently change the meaning of the shell command.
 		
-		Clients using the exported function may use inputs that contains
+		Clients using the exported function may use inputs containing
 		characters that the shell interprets in a special way, for instance
 		quotes and spaces.
 
diff --git a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
index 0bc4a598394..5e7bf0f4d33 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -779,7 +779,7 @@ module TaintTracking {
   class AdHocWhitelistCheckSanitizer extends SanitizerGuardNode, DataFlow::CallNode {
     AdHocWhitelistCheckSanitizer() {
       getCalleeName()
-          .regexpMatch("(?i).*((?<!un)safe|whitelist|valid|allow|(?<!un)auth(?!or\\b)).*") and
+          .regexpMatch("(?i).*((?<!un)safe|whitelist|(?<!in)valid|allow|(?<!un)auth(?!or\\b)).*") and
       getNumArgument() = 1
     }
 
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstruction.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstruction.qll
index 5920e96fdec..fbbbcfa93af 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstruction.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstruction.qll
@@ -19,7 +19,7 @@ module UnsafeShellCommandConstruction {
    * A taint-tracking configuration for reasoning about shell command constructed from library input vulnerabilities.
    */
   class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "UnsafeLibaryCommandInjection" }
+    Configuration() { this = "UnsafeShellCommandConstruction" }
 
     override predicate isSource(DataFlow::Node source) { source instanceof Source }
 
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
index a3d5e72ec0d..71464fb6ba6 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
@@ -34,7 +34,7 @@ module UnsafeShellCommandConstruction {
 
     /**
      * Gets the node that should be highlighted for this sink.
-     * E.g. for a string concatenation, the sink is one of the leafs and the highlight is the concatenation root.
+     * E.g. for a string concatenation, the sink is one of the leaves and the highlight is the concatenation root.
      */
     abstract DataFlow::Node getHighLight();
   }