Apply suggestions from docs review

Co-authored-by: Sam Browning <[email protected]>

Author: joefarebrother

csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.qhelp

@@ -3,9 +3,7 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>When an action method accepts an ID parameter used to control which resource (e.g. a comment, a user profile, etc) 
-is being accessed/modified, checks should me made to ensure that the current user is authorized to access that resource. 
-Otherwise, an attacker could access an arbitrary resource by guessing the ID parameter.</p>
+<p>Resources like comments or user profiles can be accessed and modified through an action method. To find a specific resource, the action method accepts an ID parameter that determines which resource to access. If the methods do not check that the current user is authorized to access the specified resource, an attacker can access a resource by guessing the ID parameter.</p>
 
 </overview>
 <recommendation>
@@ -15,20 +13,18 @@ Ensure that the current user is authorized to access the resource of the provide
 
 </recommendation>
 <example>
-<p>In the following example, in the case marked BAD, there is no authorization check, so any user is able to edit any comment.
-In the case marked GOOD, there is a check that the current usr matches the author of the comment.</p>
+<p>In the following example, in the "BAD" case, there is no authorization check, so any user can edit any comment for which they guess the ID parameter.
+The "GOOD" case includes a check that the current user matches the author of the comment, preventing unauthorized access.</p>
 <sample src="WebFormsExample.cs" />
-<p>The following example shows a similar case for the ASP.NET Core framework. In the third case, the `Authorize` attribute is used
-to restrict the method to only administrators, which are expected to be able to access arbitrary resources. 
-</p>
+<p>The following example shows a similar scenario for the ASP.NET Core framework. As above, the "BAD" case provides an example with no authorization check, and the first "GOOD" case provides an example with a check that the current user authored the specified comment. Additionally, in the second "GOOD" case, the `Authorize` attribute is used to restrict the method to administrators, who are expected to be able to access arbitrary resources.</p>
 <sample src="MVCExample.cs" />
 
 </example>
 <references>
 
-  <li>OWASP - <a href="https://wiki.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References">Insecure Direct Object Refrences</a>.</li>
-  <li>OWASP - <a href="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References">Testing for Insecure Direct Object References</a>.</li>
-  <li>Microsoft Learn - <a href="https://learn.microsoft.com/en-us/aspnet/core/security/authorization/resourcebased?view=aspnetcore-7.0">Resource-based authorization in ASP.NET Core</a>.</li>
+  <li>OWASP: <a href="https://wiki.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References">Insecure Direct Object Refrences</a>.</li>
+  <li>OWASP: <a href="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References">Testing for Insecure Direct Object References</a>.</li>
+  <li>Microsoft Learn: <a href="https://learn.microsoft.com/en-us/aspnet/core/security/authorization/resourcebased?view=aspnetcore-7.0">Resource-based authorization in ASP.NET Core</a>.</li>
 
 </references>
 </qhelp>