diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content9.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content9.adoc
index a833e819f..7489c72e1 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content9.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content9.adoc
@@ -39,8 +39,8 @@ _$selector.*text*(someEncodeHtmlMethod(userInputHere))_
 
 http://underscorejs.org/#template
 
-https://nvisium.com/blog/2015/05/21/dont-break-your-backbone-xss-mitigation/
+https://nvisium.com/blog/2015/05/21/dont-break-your-backbone-xss-mitigation.html
 
 ==== Angular
 Angular has sought to escape by default, but the expression language has proven to have 'sandbox' escapes.  Best to check
-details of the version you are using and consult starting here: https://docs.angularjs.org/guide/security
\ No newline at end of file
+details of the version you are using and consult starting here: https://docs.angularjs.org/guide/security