diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc
index 2a615ff8a..e2143ab90 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc
@@ -16,11 +16,11 @@ And if not properly protected, sensitive data (such as your authentication cooki
 
 
 ==== Quick examples:
-* From the browser address bar (chrome, Firefox)
+* From the JavaScript console in the developer tools of the browser (chrome, Firefox)
 +
 ----
-javascript:alert("XSS Test");
-javascript:alert(document.cookie);
+alert("XSS Test");
+alert(document.cookie);
 ----
 * Any data field that is returned to the client is potentially injectable
 +