spelling: characters

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

Author: jsoref

go/ql/src/experimental/CWE-918/SSRF.qhelp

@@ -14,7 +14,7 @@ server side request forgery attacks, where the attacker controls the request tar
 <p>
 To guard against server side request forgery, it is advisable to avoid putting user input directly into a
 network request. If using user input is necessary, then it must be validated. It is recommended to only allow
-user input consisting of alphanumeric characters. Simply URL-encoding other chracters is not always a solution,
+user input consisting of alphanumeric characters. Simply URL-encoding other characters is not always a solution,
 for example because a downstream entity that is itself vulnerable may decode again before forwarding the request.
 </p>
 </recommendation>