diff --git a/javascript/ql/lib/change-notes/2025-01-03-angular-source-sink.md b/javascript/ql/lib/change-notes/2025-01-03-angular-source-sink.md
new file mode 100644
index 000000000000..609642c25b4a
--- /dev/null
+++ b/javascript/ql/lib/change-notes/2025-01-03-angular-source-sink.md
@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Added new XSS sink where `InnerHTML` is assigned to with the Angular Renderer2 API
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Angular2.qll b/javascript/ql/lib/semmle/javascript/frameworks/Angular2.qll
index 16430ff0475a..dd71a1cf728b 100644
--- a/javascript/ql/lib/semmle/javascript/frameworks/Angular2.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Angular2.qll
@@ -554,4 +554,39 @@ module Angular2 {
       this = API::Node::ofType("@angular/core", "ElementRef").getMember("nativeElement").asSource()
     }
   }
+
+  /**
+   * A DOM attribute write, using the AngularJS Renderer2 API: a call to `Renderer2.setProperty`.
+   */
+  class AngularRenderer2AttributeDefinition extends DOM::AttributeDefinition {
+    DataFlow::Node propertyNode;
+    DataFlow::Node valueNode;
+    DataFlow::Node elementNode;
+
+    AngularRenderer2AttributeDefinition() {
+      exists(API::CallNode setProperty |
+        setProperty =
+          API::moduleImport("@angular/core")
+              .getMember("Renderer2")
+              .getInstance()
+              .getMember("setProperty")
+              .getACall() and
+        elementNode = setProperty.getArgument(0) and
+        propertyNode = setProperty.getArgument(1) and
+        valueNode = setProperty.getArgument(2) and
+        this = setProperty.asExpr()
+      )
+    }
+
+    override string getName() { result = propertyNode.getStringValue() }
+
+    /**
+     * Get the `DataFlow::Node` that is affected by this Attribute Definition.
+     *
+     *  Defined instead of defining `getElement()`, which requires returning a DOM element definition, `ElementDefinition`.
+     */
+    DataFlow::Node getElementNode() { result = elementNode }
+
+    override DataFlow::Node getValueNode() { result = valueNode }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll
index 72d9ae4e55a6..e2a785ee4b14 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll
@@ -251,6 +251,20 @@ module DomBasedXss {
     }
   }
 
+  /**
+   * A write to the `innerHTML` or `outerHTML` property of a DOM element, viewed as an XSS sink.
+   *
+   * Uses the Angular Renderer2 API, instead of the default `Element.innerHTML` property.
+   */
+  class AngularRender2SetPropertyInnerHtmlSink2 extends Sink {
+    AngularRender2SetPropertyInnerHtmlSink2() {
+      exists(Angular2::AngularRenderer2AttributeDefinition attrDef |
+        attrDef.getName() = ["innerHTML", "outerHTML"] and
+        this = attrDef.getValueNode()
+      )
+    }
+  }
+
   /**
    * A value being piped into the `safe` pipe in a template file,
    * disabling subsequent HTML escaping.
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
index 9b764729c99d..e1308043db9e 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
@@ -25,67 +25,73 @@ nodes
 | addEventListener.js:12:24:12:33 | event.data |
 | addEventListener.js:12:24:12:33 | event.data |
 | addEventListener.js:12:24:12:33 | event.data |
-| angular2-client.ts:22:44:22:71 | \\u0275getDOM ... ().href |
-| angular2-client.ts:22:44:22:71 | \\u0275getDOM ... ().href |
-| angular2-client.ts:22:44:22:71 | \\u0275getDOM ... ().href |
-| angular2-client.ts:24:44:24:69 | this.ro ... .params |
-| angular2-client.ts:24:44:24:69 | this.ro ... .params |
-| angular2-client.ts:24:44:24:69 | this.ro ... .params |
-| angular2-client.ts:24:44:24:73 | this.ro ... ams.foo |
-| angular2-client.ts:24:44:24:73 | this.ro ... ams.foo |
-| angular2-client.ts:24:44:24:73 | this.ro ... ams.foo |
-| angular2-client.ts:25:44:25:74 | this.ro ... yParams |
-| angular2-client.ts:25:44:25:74 | this.ro ... yParams |
-| angular2-client.ts:25:44:25:74 | this.ro ... yParams |
-| angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
-| angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
-| angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
-| angular2-client.ts:26:44:26:71 | this.ro ... ragment |
-| angular2-client.ts:26:44:26:71 | this.ro ... ragment |
-| angular2-client.ts:26:44:26:71 | this.ro ... ragment |
-| angular2-client.ts:26:44:26:71 | this.ro ... ragment |
-| angular2-client.ts:27:44:27:82 | this.ro ... ('foo') |
-| angular2-client.ts:27:44:27:82 | this.ro ... ('foo') |
-| angular2-client.ts:27:44:27:82 | this.ro ... ('foo') |
-| angular2-client.ts:27:44:27:82 | this.ro ... ('foo') |
-| angular2-client.ts:28:44:28:87 | this.ro ... ('foo') |
-| angular2-client.ts:28:44:28:87 | this.ro ... ('foo') |
-| angular2-client.ts:28:44:28:87 | this.ro ... ('foo') |
-| angular2-client.ts:28:44:28:87 | this.ro ... ('foo') |
-| angular2-client.ts:30:46:30:59 | map.get('foo') |
-| angular2-client.ts:30:46:30:59 | map.get('foo') |
-| angular2-client.ts:30:46:30:59 | map.get('foo') |
-| angular2-client.ts:30:46:30:59 | map.get('foo') |
-| angular2-client.ts:33:44:33:74 | this.ro ... 1].path |
-| angular2-client.ts:33:44:33:74 | this.ro ... 1].path |
-| angular2-client.ts:33:44:33:74 | this.ro ... 1].path |
-| angular2-client.ts:33:44:33:74 | this.ro ... 1].path |
-| angular2-client.ts:34:44:34:80 | this.ro ... ameters |
-| angular2-client.ts:34:44:34:80 | this.ro ... ameters |
-| angular2-client.ts:34:44:34:80 | this.ro ... ameters |
-| angular2-client.ts:34:44:34:82 | this.ro ... eters.x |
-| angular2-client.ts:34:44:34:82 | this.ro ... eters.x |
-| angular2-client.ts:34:44:34:82 | this.ro ... eters.x |
-| angular2-client.ts:35:44:35:91 | this.ro ... et('x') |
-| angular2-client.ts:35:44:35:91 | this.ro ... et('x') |
-| angular2-client.ts:35:44:35:91 | this.ro ... et('x') |
-| angular2-client.ts:35:44:35:91 | this.ro ... et('x') |
-| angular2-client.ts:36:44:36:89 | this.ro ... .params |
-| angular2-client.ts:36:44:36:89 | this.ro ... .params |
-| angular2-client.ts:36:44:36:89 | this.ro ... .params |
-| angular2-client.ts:36:44:36:91 | this.ro ... arams.x |
-| angular2-client.ts:36:44:36:91 | this.ro ... arams.x |
-| angular2-client.ts:36:44:36:91 | this.ro ... arams.x |
-| angular2-client.ts:38:44:38:58 | this.router.url |
-| angular2-client.ts:38:44:38:58 | this.router.url |
-| angular2-client.ts:38:44:38:58 | this.router.url |
-| angular2-client.ts:40:45:40:59 | this.router.url |
-| angular2-client.ts:40:45:40:59 | this.router.url |
-| angular2-client.ts:40:45:40:59 | this.router.url |
-| angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
-| angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
-| angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
-| angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
+| angular2-client.ts:24:44:24:71 | \\u0275getDOM ... ().href |
+| angular2-client.ts:24:44:24:71 | \\u0275getDOM ... ().href |
+| angular2-client.ts:24:44:24:71 | \\u0275getDOM ... ().href |
+| angular2-client.ts:26:44:26:69 | this.ro ... .params |
+| angular2-client.ts:26:44:26:69 | this.ro ... .params |
+| angular2-client.ts:26:44:26:69 | this.ro ... .params |
+| angular2-client.ts:26:44:26:73 | this.ro ... ams.foo |
+| angular2-client.ts:26:44:26:73 | this.ro ... ams.foo |
+| angular2-client.ts:26:44:26:73 | this.ro ... ams.foo |
+| angular2-client.ts:27:44:27:74 | this.ro ... yParams |
+| angular2-client.ts:27:44:27:74 | this.ro ... yParams |
+| angular2-client.ts:27:44:27:74 | this.ro ... yParams |
+| angular2-client.ts:27:44:27:78 | this.ro ... ams.foo |
+| angular2-client.ts:27:44:27:78 | this.ro ... ams.foo |
+| angular2-client.ts:27:44:27:78 | this.ro ... ams.foo |
+| angular2-client.ts:28:44:28:71 | this.ro ... ragment |
+| angular2-client.ts:28:44:28:71 | this.ro ... ragment |
+| angular2-client.ts:28:44:28:71 | this.ro ... ragment |
+| angular2-client.ts:28:44:28:71 | this.ro ... ragment |
+| angular2-client.ts:29:44:29:82 | this.ro ... ('foo') |
+| angular2-client.ts:29:44:29:82 | this.ro ... ('foo') |
+| angular2-client.ts:29:44:29:82 | this.ro ... ('foo') |
+| angular2-client.ts:29:44:29:82 | this.ro ... ('foo') |
+| angular2-client.ts:30:44:30:87 | this.ro ... ('foo') |
+| angular2-client.ts:30:44:30:87 | this.ro ... ('foo') |
+| angular2-client.ts:30:44:30:87 | this.ro ... ('foo') |
+| angular2-client.ts:30:44:30:87 | this.ro ... ('foo') |
+| angular2-client.ts:32:46:32:59 | map.get('foo') |
+| angular2-client.ts:32:46:32:59 | map.get('foo') |
+| angular2-client.ts:32:46:32:59 | map.get('foo') |
+| angular2-client.ts:32:46:32:59 | map.get('foo') |
+| angular2-client.ts:35:44:35:74 | this.ro ... 1].path |
+| angular2-client.ts:35:44:35:74 | this.ro ... 1].path |
+| angular2-client.ts:35:44:35:74 | this.ro ... 1].path |
+| angular2-client.ts:35:44:35:74 | this.ro ... 1].path |
+| angular2-client.ts:36:44:36:80 | this.ro ... ameters |
+| angular2-client.ts:36:44:36:80 | this.ro ... ameters |
+| angular2-client.ts:36:44:36:80 | this.ro ... ameters |
+| angular2-client.ts:36:44:36:82 | this.ro ... eters.x |
+| angular2-client.ts:36:44:36:82 | this.ro ... eters.x |
+| angular2-client.ts:36:44:36:82 | this.ro ... eters.x |
+| angular2-client.ts:37:44:37:91 | this.ro ... et('x') |
+| angular2-client.ts:37:44:37:91 | this.ro ... et('x') |
+| angular2-client.ts:37:44:37:91 | this.ro ... et('x') |
+| angular2-client.ts:37:44:37:91 | this.ro ... et('x') |
+| angular2-client.ts:38:44:38:89 | this.ro ... .params |
+| angular2-client.ts:38:44:38:89 | this.ro ... .params |
+| angular2-client.ts:38:44:38:89 | this.ro ... .params |
+| angular2-client.ts:38:44:38:91 | this.ro ... arams.x |
+| angular2-client.ts:38:44:38:91 | this.ro ... arams.x |
+| angular2-client.ts:38:44:38:91 | this.ro ... arams.x |
+| angular2-client.ts:40:44:40:58 | this.router.url |
+| angular2-client.ts:40:44:40:58 | this.router.url |
+| angular2-client.ts:40:44:40:58 | this.router.url |
+| angular2-client.ts:42:45:42:59 | this.router.url |
+| angular2-client.ts:42:45:42:59 | this.router.url |
+| angular2-client.ts:42:45:42:59 | this.router.url |
+| angular2-client.ts:43:75:43:105 | this.ro ... yParams |
+| angular2-client.ts:43:75:43:105 | this.ro ... yParams |
+| angular2-client.ts:43:75:43:105 | this.ro ... yParams |
+| angular2-client.ts:43:75:43:109 | this.ro ... ams.foo |
+| angular2-client.ts:43:75:43:109 | this.ro ... ams.foo |
+| angular2-client.ts:43:75:43:109 | this.ro ... ams.foo |
+| angular2-client.ts:47:44:47:76 | routeSn ... ('foo') |
+| angular2-client.ts:47:44:47:76 | routeSn ... ('foo') |
+| angular2-client.ts:47:44:47:76 | routeSn ... ('foo') |
+| angular2-client.ts:47:44:47:76 | routeSn ... ('foo') |
 | angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") |
 | angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") |
 | angular-tempate-url.js:13:30:13:31 | ev |
@@ -1249,44 +1255,51 @@ edges
 | addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
 | addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
 | addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
-| angular2-client.ts:22:44:22:71 | \\u0275getDOM ... ().href | angular2-client.ts:22:44:22:71 | \\u0275getDOM ... ().href |
-| angular2-client.ts:24:44:24:69 | this.ro ... .params | angular2-client.ts:24:44:24:73 | this.ro ... ams.foo |
-| angular2-client.ts:24:44:24:69 | this.ro ... .params | angular2-client.ts:24:44:24:73 | this.ro ... ams.foo |
-| angular2-client.ts:24:44:24:69 | this.ro ... .params | angular2-client.ts:24:44:24:73 | this.ro ... ams.foo |
-| angular2-client.ts:24:44:24:69 | this.ro ... .params | angular2-client.ts:24:44:24:73 | this.ro ... ams.foo |
-| angular2-client.ts:24:44:24:69 | this.ro ... .params | angular2-client.ts:24:44:24:73 | this.ro ... ams.foo |
-| angular2-client.ts:24:44:24:69 | this.ro ... .params | angular2-client.ts:24:44:24:73 | this.ro ... ams.foo |
-| angular2-client.ts:24:44:24:69 | this.ro ... .params | angular2-client.ts:24:44:24:73 | this.ro ... ams.foo |
-| angular2-client.ts:25:44:25:74 | this.ro ... yParams | angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
-| angular2-client.ts:25:44:25:74 | this.ro ... yParams | angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
-| angular2-client.ts:25:44:25:74 | this.ro ... yParams | angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
-| angular2-client.ts:25:44:25:74 | this.ro ... yParams | angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
-| angular2-client.ts:25:44:25:74 | this.ro ... yParams | angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
-| angular2-client.ts:25:44:25:74 | this.ro ... yParams | angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
-| angular2-client.ts:25:44:25:74 | this.ro ... yParams | angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
-| angular2-client.ts:26:44:26:71 | this.ro ... ragment | angular2-client.ts:26:44:26:71 | this.ro ... ragment |
-| angular2-client.ts:27:44:27:82 | this.ro ... ('foo') | angular2-client.ts:27:44:27:82 | this.ro ... ('foo') |
-| angular2-client.ts:28:44:28:87 | this.ro ... ('foo') | angular2-client.ts:28:44:28:87 | this.ro ... ('foo') |
-| angular2-client.ts:30:46:30:59 | map.get('foo') | angular2-client.ts:30:46:30:59 | map.get('foo') |
-| angular2-client.ts:33:44:33:74 | this.ro ... 1].path | angular2-client.ts:33:44:33:74 | this.ro ... 1].path |
-| angular2-client.ts:34:44:34:80 | this.ro ... ameters | angular2-client.ts:34:44:34:82 | this.ro ... eters.x |
-| angular2-client.ts:34:44:34:80 | this.ro ... ameters | angular2-client.ts:34:44:34:82 | this.ro ... eters.x |
-| angular2-client.ts:34:44:34:80 | this.ro ... ameters | angular2-client.ts:34:44:34:82 | this.ro ... eters.x |
-| angular2-client.ts:34:44:34:80 | this.ro ... ameters | angular2-client.ts:34:44:34:82 | this.ro ... eters.x |
-| angular2-client.ts:34:44:34:80 | this.ro ... ameters | angular2-client.ts:34:44:34:82 | this.ro ... eters.x |
-| angular2-client.ts:34:44:34:80 | this.ro ... ameters | angular2-client.ts:34:44:34:82 | this.ro ... eters.x |
-| angular2-client.ts:34:44:34:80 | this.ro ... ameters | angular2-client.ts:34:44:34:82 | this.ro ... eters.x |
-| angular2-client.ts:35:44:35:91 | this.ro ... et('x') | angular2-client.ts:35:44:35:91 | this.ro ... et('x') |
-| angular2-client.ts:36:44:36:89 | this.ro ... .params | angular2-client.ts:36:44:36:91 | this.ro ... arams.x |
-| angular2-client.ts:36:44:36:89 | this.ro ... .params | angular2-client.ts:36:44:36:91 | this.ro ... arams.x |
-| angular2-client.ts:36:44:36:89 | this.ro ... .params | angular2-client.ts:36:44:36:91 | this.ro ... arams.x |
-| angular2-client.ts:36:44:36:89 | this.ro ... .params | angular2-client.ts:36:44:36:91 | this.ro ... arams.x |
-| angular2-client.ts:36:44:36:89 | this.ro ... .params | angular2-client.ts:36:44:36:91 | this.ro ... arams.x |
-| angular2-client.ts:36:44:36:89 | this.ro ... .params | angular2-client.ts:36:44:36:91 | this.ro ... arams.x |
-| angular2-client.ts:36:44:36:89 | this.ro ... .params | angular2-client.ts:36:44:36:91 | this.ro ... arams.x |
-| angular2-client.ts:38:44:38:58 | this.router.url | angular2-client.ts:38:44:38:58 | this.router.url |
-| angular2-client.ts:40:45:40:59 | this.router.url | angular2-client.ts:40:45:40:59 | this.router.url |
-| angular2-client.ts:44:44:44:76 | routeSn ... ('foo') | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
+| angular2-client.ts:24:44:24:71 | \\u0275getDOM ... ().href | angular2-client.ts:24:44:24:71 | \\u0275getDOM ... ().href |
+| angular2-client.ts:26:44:26:69 | this.ro ... .params | angular2-client.ts:26:44:26:73 | this.ro ... ams.foo |
+| angular2-client.ts:26:44:26:69 | this.ro ... .params | angular2-client.ts:26:44:26:73 | this.ro ... ams.foo |
+| angular2-client.ts:26:44:26:69 | this.ro ... .params | angular2-client.ts:26:44:26:73 | this.ro ... ams.foo |
+| angular2-client.ts:26:44:26:69 | this.ro ... .params | angular2-client.ts:26:44:26:73 | this.ro ... ams.foo |
+| angular2-client.ts:26:44:26:69 | this.ro ... .params | angular2-client.ts:26:44:26:73 | this.ro ... ams.foo |
+| angular2-client.ts:26:44:26:69 | this.ro ... .params | angular2-client.ts:26:44:26:73 | this.ro ... ams.foo |
+| angular2-client.ts:26:44:26:69 | this.ro ... .params | angular2-client.ts:26:44:26:73 | this.ro ... ams.foo |
+| angular2-client.ts:27:44:27:74 | this.ro ... yParams | angular2-client.ts:27:44:27:78 | this.ro ... ams.foo |
+| angular2-client.ts:27:44:27:74 | this.ro ... yParams | angular2-client.ts:27:44:27:78 | this.ro ... ams.foo |
+| angular2-client.ts:27:44:27:74 | this.ro ... yParams | angular2-client.ts:27:44:27:78 | this.ro ... ams.foo |
+| angular2-client.ts:27:44:27:74 | this.ro ... yParams | angular2-client.ts:27:44:27:78 | this.ro ... ams.foo |
+| angular2-client.ts:27:44:27:74 | this.ro ... yParams | angular2-client.ts:27:44:27:78 | this.ro ... ams.foo |
+| angular2-client.ts:27:44:27:74 | this.ro ... yParams | angular2-client.ts:27:44:27:78 | this.ro ... ams.foo |
+| angular2-client.ts:27:44:27:74 | this.ro ... yParams | angular2-client.ts:27:44:27:78 | this.ro ... ams.foo |
+| angular2-client.ts:28:44:28:71 | this.ro ... ragment | angular2-client.ts:28:44:28:71 | this.ro ... ragment |
+| angular2-client.ts:29:44:29:82 | this.ro ... ('foo') | angular2-client.ts:29:44:29:82 | this.ro ... ('foo') |
+| angular2-client.ts:30:44:30:87 | this.ro ... ('foo') | angular2-client.ts:30:44:30:87 | this.ro ... ('foo') |
+| angular2-client.ts:32:46:32:59 | map.get('foo') | angular2-client.ts:32:46:32:59 | map.get('foo') |
+| angular2-client.ts:35:44:35:74 | this.ro ... 1].path | angular2-client.ts:35:44:35:74 | this.ro ... 1].path |
+| angular2-client.ts:36:44:36:80 | this.ro ... ameters | angular2-client.ts:36:44:36:82 | this.ro ... eters.x |
+| angular2-client.ts:36:44:36:80 | this.ro ... ameters | angular2-client.ts:36:44:36:82 | this.ro ... eters.x |
+| angular2-client.ts:36:44:36:80 | this.ro ... ameters | angular2-client.ts:36:44:36:82 | this.ro ... eters.x |
+| angular2-client.ts:36:44:36:80 | this.ro ... ameters | angular2-client.ts:36:44:36:82 | this.ro ... eters.x |
+| angular2-client.ts:36:44:36:80 | this.ro ... ameters | angular2-client.ts:36:44:36:82 | this.ro ... eters.x |
+| angular2-client.ts:36:44:36:80 | this.ro ... ameters | angular2-client.ts:36:44:36:82 | this.ro ... eters.x |
+| angular2-client.ts:36:44:36:80 | this.ro ... ameters | angular2-client.ts:36:44:36:82 | this.ro ... eters.x |
+| angular2-client.ts:37:44:37:91 | this.ro ... et('x') | angular2-client.ts:37:44:37:91 | this.ro ... et('x') |
+| angular2-client.ts:38:44:38:89 | this.ro ... .params | angular2-client.ts:38:44:38:91 | this.ro ... arams.x |
+| angular2-client.ts:38:44:38:89 | this.ro ... .params | angular2-client.ts:38:44:38:91 | this.ro ... arams.x |
+| angular2-client.ts:38:44:38:89 | this.ro ... .params | angular2-client.ts:38:44:38:91 | this.ro ... arams.x |
+| angular2-client.ts:38:44:38:89 | this.ro ... .params | angular2-client.ts:38:44:38:91 | this.ro ... arams.x |
+| angular2-client.ts:38:44:38:89 | this.ro ... .params | angular2-client.ts:38:44:38:91 | this.ro ... arams.x |
+| angular2-client.ts:38:44:38:89 | this.ro ... .params | angular2-client.ts:38:44:38:91 | this.ro ... arams.x |
+| angular2-client.ts:38:44:38:89 | this.ro ... .params | angular2-client.ts:38:44:38:91 | this.ro ... arams.x |
+| angular2-client.ts:40:44:40:58 | this.router.url | angular2-client.ts:40:44:40:58 | this.router.url |
+| angular2-client.ts:42:45:42:59 | this.router.url | angular2-client.ts:42:45:42:59 | this.router.url |
+| angular2-client.ts:43:75:43:105 | this.ro ... yParams | angular2-client.ts:43:75:43:109 | this.ro ... ams.foo |
+| angular2-client.ts:43:75:43:105 | this.ro ... yParams | angular2-client.ts:43:75:43:109 | this.ro ... ams.foo |
+| angular2-client.ts:43:75:43:105 | this.ro ... yParams | angular2-client.ts:43:75:43:109 | this.ro ... ams.foo |
+| angular2-client.ts:43:75:43:105 | this.ro ... yParams | angular2-client.ts:43:75:43:109 | this.ro ... ams.foo |
+| angular2-client.ts:43:75:43:105 | this.ro ... yParams | angular2-client.ts:43:75:43:109 | this.ro ... ams.foo |
+| angular2-client.ts:43:75:43:105 | this.ro ... yParams | angular2-client.ts:43:75:43:109 | this.ro ... ams.foo |
+| angular2-client.ts:43:75:43:105 | this.ro ... yParams | angular2-client.ts:43:75:43:109 | this.ro ... ams.foo |
+| angular2-client.ts:47:44:47:76 | routeSn ... ('foo') | angular2-client.ts:47:44:47:76 | routeSn ... ('foo') |
 | angular-tempate-url.js:13:30:13:31 | ev | angular-tempate-url.js:14:26:14:27 | ev |
 | angular-tempate-url.js:13:30:13:31 | ev | angular-tempate-url.js:14:26:14:27 | ev |
 | angular-tempate-url.js:14:26:14:27 | ev | angular-tempate-url.js:14:26:14:32 | ev.data |
@@ -2415,20 +2428,21 @@ edges
 | addEventListener.js:2:20:2:29 | event.data | addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:29 | event.data | Cross-site scripting vulnerability due to $@. | addEventListener.js:1:43:1:47 | event | user-provided value |
 | addEventListener.js:6:20:6:23 | data | addEventListener.js:5:43:5:48 | {data} | addEventListener.js:6:20:6:23 | data | Cross-site scripting vulnerability due to $@. | addEventListener.js:5:43:5:48 | {data} | user-provided value |
 | addEventListener.js:12:24:12:33 | event.data | addEventListener.js:10:21:10:25 | event | addEventListener.js:12:24:12:33 | event.data | Cross-site scripting vulnerability due to $@. | addEventListener.js:10:21:10:25 | event | user-provided value |
-| angular2-client.ts:22:44:22:71 | \\u0275getDOM ... ().href | angular2-client.ts:22:44:22:71 | \\u0275getDOM ... ().href | angular2-client.ts:22:44:22:71 | \\u0275getDOM ... ().href | Cross-site scripting vulnerability due to $@. | angular2-client.ts:22:44:22:71 | \\u0275getDOM ... ().href | user-provided value |
-| angular2-client.ts:24:44:24:73 | this.ro ... ams.foo | angular2-client.ts:24:44:24:69 | this.ro ... .params | angular2-client.ts:24:44:24:73 | this.ro ... ams.foo | Cross-site scripting vulnerability due to $@. | angular2-client.ts:24:44:24:69 | this.ro ... .params | user-provided value |
-| angular2-client.ts:25:44:25:78 | this.ro ... ams.foo | angular2-client.ts:25:44:25:74 | this.ro ... yParams | angular2-client.ts:25:44:25:78 | this.ro ... ams.foo | Cross-site scripting vulnerability due to $@. | angular2-client.ts:25:44:25:74 | this.ro ... yParams | user-provided value |
-| angular2-client.ts:26:44:26:71 | this.ro ... ragment | angular2-client.ts:26:44:26:71 | this.ro ... ragment | angular2-client.ts:26:44:26:71 | this.ro ... ragment | Cross-site scripting vulnerability due to $@. | angular2-client.ts:26:44:26:71 | this.ro ... ragment | user-provided value |
-| angular2-client.ts:27:44:27:82 | this.ro ... ('foo') | angular2-client.ts:27:44:27:82 | this.ro ... ('foo') | angular2-client.ts:27:44:27:82 | this.ro ... ('foo') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:27:44:27:82 | this.ro ... ('foo') | user-provided value |
-| angular2-client.ts:28:44:28:87 | this.ro ... ('foo') | angular2-client.ts:28:44:28:87 | this.ro ... ('foo') | angular2-client.ts:28:44:28:87 | this.ro ... ('foo') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:28:44:28:87 | this.ro ... ('foo') | user-provided value |
-| angular2-client.ts:30:46:30:59 | map.get('foo') | angular2-client.ts:30:46:30:59 | map.get('foo') | angular2-client.ts:30:46:30:59 | map.get('foo') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:30:46:30:59 | map.get('foo') | user-provided value |
-| angular2-client.ts:33:44:33:74 | this.ro ... 1].path | angular2-client.ts:33:44:33:74 | this.ro ... 1].path | angular2-client.ts:33:44:33:74 | this.ro ... 1].path | Cross-site scripting vulnerability due to $@. | angular2-client.ts:33:44:33:74 | this.ro ... 1].path | user-provided value |
-| angular2-client.ts:34:44:34:82 | this.ro ... eters.x | angular2-client.ts:34:44:34:80 | this.ro ... ameters | angular2-client.ts:34:44:34:82 | this.ro ... eters.x | Cross-site scripting vulnerability due to $@. | angular2-client.ts:34:44:34:80 | this.ro ... ameters | user-provided value |
-| angular2-client.ts:35:44:35:91 | this.ro ... et('x') | angular2-client.ts:35:44:35:91 | this.ro ... et('x') | angular2-client.ts:35:44:35:91 | this.ro ... et('x') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:35:44:35:91 | this.ro ... et('x') | user-provided value |
-| angular2-client.ts:36:44:36:91 | this.ro ... arams.x | angular2-client.ts:36:44:36:89 | this.ro ... .params | angular2-client.ts:36:44:36:91 | this.ro ... arams.x | Cross-site scripting vulnerability due to $@. | angular2-client.ts:36:44:36:89 | this.ro ... .params | user-provided value |
-| angular2-client.ts:38:44:38:58 | this.router.url | angular2-client.ts:38:44:38:58 | this.router.url | angular2-client.ts:38:44:38:58 | this.router.url | Cross-site scripting vulnerability due to $@. | angular2-client.ts:38:44:38:58 | this.router.url | user-provided value |
-| angular2-client.ts:40:45:40:59 | this.router.url | angular2-client.ts:40:45:40:59 | this.router.url | angular2-client.ts:40:45:40:59 | this.router.url | Cross-site scripting vulnerability due to $@. | angular2-client.ts:40:45:40:59 | this.router.url | user-provided value |
-| angular2-client.ts:44:44:44:76 | routeSn ... ('foo') | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') | user-provided value |
+| angular2-client.ts:24:44:24:71 | \\u0275getDOM ... ().href | angular2-client.ts:24:44:24:71 | \\u0275getDOM ... ().href | angular2-client.ts:24:44:24:71 | \\u0275getDOM ... ().href | Cross-site scripting vulnerability due to $@. | angular2-client.ts:24:44:24:71 | \\u0275getDOM ... ().href | user-provided value |
+| angular2-client.ts:26:44:26:73 | this.ro ... ams.foo | angular2-client.ts:26:44:26:69 | this.ro ... .params | angular2-client.ts:26:44:26:73 | this.ro ... ams.foo | Cross-site scripting vulnerability due to $@. | angular2-client.ts:26:44:26:69 | this.ro ... .params | user-provided value |
+| angular2-client.ts:27:44:27:78 | this.ro ... ams.foo | angular2-client.ts:27:44:27:74 | this.ro ... yParams | angular2-client.ts:27:44:27:78 | this.ro ... ams.foo | Cross-site scripting vulnerability due to $@. | angular2-client.ts:27:44:27:74 | this.ro ... yParams | user-provided value |
+| angular2-client.ts:28:44:28:71 | this.ro ... ragment | angular2-client.ts:28:44:28:71 | this.ro ... ragment | angular2-client.ts:28:44:28:71 | this.ro ... ragment | Cross-site scripting vulnerability due to $@. | angular2-client.ts:28:44:28:71 | this.ro ... ragment | user-provided value |
+| angular2-client.ts:29:44:29:82 | this.ro ... ('foo') | angular2-client.ts:29:44:29:82 | this.ro ... ('foo') | angular2-client.ts:29:44:29:82 | this.ro ... ('foo') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:29:44:29:82 | this.ro ... ('foo') | user-provided value |
+| angular2-client.ts:30:44:30:87 | this.ro ... ('foo') | angular2-client.ts:30:44:30:87 | this.ro ... ('foo') | angular2-client.ts:30:44:30:87 | this.ro ... ('foo') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:30:44:30:87 | this.ro ... ('foo') | user-provided value |
+| angular2-client.ts:32:46:32:59 | map.get('foo') | angular2-client.ts:32:46:32:59 | map.get('foo') | angular2-client.ts:32:46:32:59 | map.get('foo') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:32:46:32:59 | map.get('foo') | user-provided value |
+| angular2-client.ts:35:44:35:74 | this.ro ... 1].path | angular2-client.ts:35:44:35:74 | this.ro ... 1].path | angular2-client.ts:35:44:35:74 | this.ro ... 1].path | Cross-site scripting vulnerability due to $@. | angular2-client.ts:35:44:35:74 | this.ro ... 1].path | user-provided value |
+| angular2-client.ts:36:44:36:82 | this.ro ... eters.x | angular2-client.ts:36:44:36:80 | this.ro ... ameters | angular2-client.ts:36:44:36:82 | this.ro ... eters.x | Cross-site scripting vulnerability due to $@. | angular2-client.ts:36:44:36:80 | this.ro ... ameters | user-provided value |
+| angular2-client.ts:37:44:37:91 | this.ro ... et('x') | angular2-client.ts:37:44:37:91 | this.ro ... et('x') | angular2-client.ts:37:44:37:91 | this.ro ... et('x') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:37:44:37:91 | this.ro ... et('x') | user-provided value |
+| angular2-client.ts:38:44:38:91 | this.ro ... arams.x | angular2-client.ts:38:44:38:89 | this.ro ... .params | angular2-client.ts:38:44:38:91 | this.ro ... arams.x | Cross-site scripting vulnerability due to $@. | angular2-client.ts:38:44:38:89 | this.ro ... .params | user-provided value |
+| angular2-client.ts:40:44:40:58 | this.router.url | angular2-client.ts:40:44:40:58 | this.router.url | angular2-client.ts:40:44:40:58 | this.router.url | Cross-site scripting vulnerability due to $@. | angular2-client.ts:40:44:40:58 | this.router.url | user-provided value |
+| angular2-client.ts:42:45:42:59 | this.router.url | angular2-client.ts:42:45:42:59 | this.router.url | angular2-client.ts:42:45:42:59 | this.router.url | Cross-site scripting vulnerability due to $@. | angular2-client.ts:42:45:42:59 | this.router.url | user-provided value |
+| angular2-client.ts:43:75:43:109 | this.ro ... ams.foo | angular2-client.ts:43:75:43:105 | this.ro ... yParams | angular2-client.ts:43:75:43:109 | this.ro ... ams.foo | Cross-site scripting vulnerability due to $@. | angular2-client.ts:43:75:43:105 | this.ro ... yParams | user-provided value |
+| angular2-client.ts:47:44:47:76 | routeSn ... ('foo') | angular2-client.ts:47:44:47:76 | routeSn ... ('foo') | angular2-client.ts:47:44:47:76 | routeSn ... ('foo') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:47:44:47:76 | routeSn ... ('foo') | user-provided value |
 | angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") | angular-tempate-url.js:13:30:13:31 | ev | angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") | Cross-site scripting vulnerability due to $@. | angular-tempate-url.js:13:30:13:31 | ev | user-provided value |
 | classnames.js:7:31:7:84 | `<span  ... <span>` | classnames.js:7:58:7:68 | window.name | classnames.js:7:31:7:84 | `<span  ... <span>` | Cross-site scripting vulnerability due to $@. | classnames.js:7:58:7:68 | window.name | user-provided value |
 | classnames.js:8:31:8:85 | `<span  ... <span>` | classnames.js:8:59:8:69 | window.name | classnames.js:8:31:8:85 | `<span  ... <span>` | Cross-site scripting vulnerability due to $@. | classnames.js:8:59:8:69 | window.name | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
index 185cae0d2d30..3d968b9022a6 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
@@ -25,67 +25,73 @@ nodes
 | addEventListener.js:12:24:12:33 | event.data |
 | addEventListener.js:12:24:12:33 | event.data |
 | addEventListener.js:12:24:12:33 | event.data |
-| angular2-client.ts:22:44:22:71 | \\u0275getDOM ... ().href |
-| angular2-client.ts:22:44:22:71 | \\u0275getDOM ... ().href |
-| angular2-client.ts:22:44:22:71 | \\u0275getDOM ... ().href |
-| angular2-client.ts:24:44:24:69 | this.ro ... .params |
-| angular2-client.ts:24:44:24:69 | this.ro ... .params |
-| angular2-client.ts:24:44:24:69 | this.ro ... .params |
-| angular2-client.ts:24:44:24:73 | this.ro ... ams.foo |
-| angular2-client.ts:24:44:24:73 | this.ro ... ams.foo |
-| angular2-client.ts:24:44:24:73 | this.ro ... ams.foo |
-| angular2-client.ts:25:44:25:74 | this.ro ... yParams |
-| angular2-client.ts:25:44:25:74 | this.ro ... yParams |
-| angular2-client.ts:25:44:25:74 | this.ro ... yParams |
-| angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
-| angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
-| angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
-| angular2-client.ts:26:44:26:71 | this.ro ... ragment |
-| angular2-client.ts:26:44:26:71 | this.ro ... ragment |
-| angular2-client.ts:26:44:26:71 | this.ro ... ragment |
-| angular2-client.ts:26:44:26:71 | this.ro ... ragment |
-| angular2-client.ts:27:44:27:82 | this.ro ... ('foo') |
-| angular2-client.ts:27:44:27:82 | this.ro ... ('foo') |
-| angular2-client.ts:27:44:27:82 | this.ro ... ('foo') |
-| angular2-client.ts:27:44:27:82 | this.ro ... ('foo') |
-| angular2-client.ts:28:44:28:87 | this.ro ... ('foo') |
-| angular2-client.ts:28:44:28:87 | this.ro ... ('foo') |
-| angular2-client.ts:28:44:28:87 | this.ro ... ('foo') |
-| angular2-client.ts:28:44:28:87 | this.ro ... ('foo') |
-| angular2-client.ts:30:46:30:59 | map.get('foo') |
-| angular2-client.ts:30:46:30:59 | map.get('foo') |
-| angular2-client.ts:30:46:30:59 | map.get('foo') |
-| angular2-client.ts:30:46:30:59 | map.get('foo') |
-| angular2-client.ts:33:44:33:74 | this.ro ... 1].path |
-| angular2-client.ts:33:44:33:74 | this.ro ... 1].path |
-| angular2-client.ts:33:44:33:74 | this.ro ... 1].path |
-| angular2-client.ts:33:44:33:74 | this.ro ... 1].path |
-| angular2-client.ts:34:44:34:80 | this.ro ... ameters |
-| angular2-client.ts:34:44:34:80 | this.ro ... ameters |
-| angular2-client.ts:34:44:34:80 | this.ro ... ameters |
-| angular2-client.ts:34:44:34:82 | this.ro ... eters.x |
-| angular2-client.ts:34:44:34:82 | this.ro ... eters.x |
-| angular2-client.ts:34:44:34:82 | this.ro ... eters.x |
-| angular2-client.ts:35:44:35:91 | this.ro ... et('x') |
-| angular2-client.ts:35:44:35:91 | this.ro ... et('x') |
-| angular2-client.ts:35:44:35:91 | this.ro ... et('x') |
-| angular2-client.ts:35:44:35:91 | this.ro ... et('x') |
-| angular2-client.ts:36:44:36:89 | this.ro ... .params |
-| angular2-client.ts:36:44:36:89 | this.ro ... .params |
-| angular2-client.ts:36:44:36:89 | this.ro ... .params |
-| angular2-client.ts:36:44:36:91 | this.ro ... arams.x |
-| angular2-client.ts:36:44:36:91 | this.ro ... arams.x |
-| angular2-client.ts:36:44:36:91 | this.ro ... arams.x |
-| angular2-client.ts:38:44:38:58 | this.router.url |
-| angular2-client.ts:38:44:38:58 | this.router.url |
-| angular2-client.ts:38:44:38:58 | this.router.url |
-| angular2-client.ts:40:45:40:59 | this.router.url |
-| angular2-client.ts:40:45:40:59 | this.router.url |
-| angular2-client.ts:40:45:40:59 | this.router.url |
-| angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
-| angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
-| angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
-| angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
+| angular2-client.ts:24:44:24:71 | \\u0275getDOM ... ().href |
+| angular2-client.ts:24:44:24:71 | \\u0275getDOM ... ().href |
+| angular2-client.ts:24:44:24:71 | \\u0275getDOM ... ().href |
+| angular2-client.ts:26:44:26:69 | this.ro ... .params |
+| angular2-client.ts:26:44:26:69 | this.ro ... .params |
+| angular2-client.ts:26:44:26:69 | this.ro ... .params |
+| angular2-client.ts:26:44:26:73 | this.ro ... ams.foo |
+| angular2-client.ts:26:44:26:73 | this.ro ... ams.foo |
+| angular2-client.ts:26:44:26:73 | this.ro ... ams.foo |
+| angular2-client.ts:27:44:27:74 | this.ro ... yParams |
+| angular2-client.ts:27:44:27:74 | this.ro ... yParams |
+| angular2-client.ts:27:44:27:74 | this.ro ... yParams |
+| angular2-client.ts:27:44:27:78 | this.ro ... ams.foo |
+| angular2-client.ts:27:44:27:78 | this.ro ... ams.foo |
+| angular2-client.ts:27:44:27:78 | this.ro ... ams.foo |
+| angular2-client.ts:28:44:28:71 | this.ro ... ragment |
+| angular2-client.ts:28:44:28:71 | this.ro ... ragment |
+| angular2-client.ts:28:44:28:71 | this.ro ... ragment |
+| angular2-client.ts:28:44:28:71 | this.ro ... ragment |
+| angular2-client.ts:29:44:29:82 | this.ro ... ('foo') |
+| angular2-client.ts:29:44:29:82 | this.ro ... ('foo') |
+| angular2-client.ts:29:44:29:82 | this.ro ... ('foo') |
+| angular2-client.ts:29:44:29:82 | this.ro ... ('foo') |
+| angular2-client.ts:30:44:30:87 | this.ro ... ('foo') |
+| angular2-client.ts:30:44:30:87 | this.ro ... ('foo') |
+| angular2-client.ts:30:44:30:87 | this.ro ... ('foo') |
+| angular2-client.ts:30:44:30:87 | this.ro ... ('foo') |
+| angular2-client.ts:32:46:32:59 | map.get('foo') |
+| angular2-client.ts:32:46:32:59 | map.get('foo') |
+| angular2-client.ts:32:46:32:59 | map.get('foo') |
+| angular2-client.ts:32:46:32:59 | map.get('foo') |
+| angular2-client.ts:35:44:35:74 | this.ro ... 1].path |
+| angular2-client.ts:35:44:35:74 | this.ro ... 1].path |
+| angular2-client.ts:35:44:35:74 | this.ro ... 1].path |
+| angular2-client.ts:35:44:35:74 | this.ro ... 1].path |
+| angular2-client.ts:36:44:36:80 | this.ro ... ameters |
+| angular2-client.ts:36:44:36:80 | this.ro ... ameters |
+| angular2-client.ts:36:44:36:80 | this.ro ... ameters |
+| angular2-client.ts:36:44:36:82 | this.ro ... eters.x |
+| angular2-client.ts:36:44:36:82 | this.ro ... eters.x |
+| angular2-client.ts:36:44:36:82 | this.ro ... eters.x |
+| angular2-client.ts:37:44:37:91 | this.ro ... et('x') |
+| angular2-client.ts:37:44:37:91 | this.ro ... et('x') |
+| angular2-client.ts:37:44:37:91 | this.ro ... et('x') |
+| angular2-client.ts:37:44:37:91 | this.ro ... et('x') |
+| angular2-client.ts:38:44:38:89 | this.ro ... .params |
+| angular2-client.ts:38:44:38:89 | this.ro ... .params |
+| angular2-client.ts:38:44:38:89 | this.ro ... .params |
+| angular2-client.ts:38:44:38:91 | this.ro ... arams.x |
+| angular2-client.ts:38:44:38:91 | this.ro ... arams.x |
+| angular2-client.ts:38:44:38:91 | this.ro ... arams.x |
+| angular2-client.ts:40:44:40:58 | this.router.url |
+| angular2-client.ts:40:44:40:58 | this.router.url |
+| angular2-client.ts:40:44:40:58 | this.router.url |
+| angular2-client.ts:42:45:42:59 | this.router.url |
+| angular2-client.ts:42:45:42:59 | this.router.url |
+| angular2-client.ts:42:45:42:59 | this.router.url |
+| angular2-client.ts:43:75:43:105 | this.ro ... yParams |
+| angular2-client.ts:43:75:43:105 | this.ro ... yParams |
+| angular2-client.ts:43:75:43:105 | this.ro ... yParams |
+| angular2-client.ts:43:75:43:109 | this.ro ... ams.foo |
+| angular2-client.ts:43:75:43:109 | this.ro ... ams.foo |
+| angular2-client.ts:43:75:43:109 | this.ro ... ams.foo |
+| angular2-client.ts:47:44:47:76 | routeSn ... ('foo') |
+| angular2-client.ts:47:44:47:76 | routeSn ... ('foo') |
+| angular2-client.ts:47:44:47:76 | routeSn ... ('foo') |
+| angular2-client.ts:47:44:47:76 | routeSn ... ('foo') |
 | angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") |
 | angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") |
 | angular-tempate-url.js:13:30:13:31 | ev |
@@ -1299,44 +1305,51 @@ edges
 | addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
 | addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
 | addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
-| angular2-client.ts:22:44:22:71 | \\u0275getDOM ... ().href | angular2-client.ts:22:44:22:71 | \\u0275getDOM ... ().href |
-| angular2-client.ts:24:44:24:69 | this.ro ... .params | angular2-client.ts:24:44:24:73 | this.ro ... ams.foo |
-| angular2-client.ts:24:44:24:69 | this.ro ... .params | angular2-client.ts:24:44:24:73 | this.ro ... ams.foo |
-| angular2-client.ts:24:44:24:69 | this.ro ... .params | angular2-client.ts:24:44:24:73 | this.ro ... ams.foo |
-| angular2-client.ts:24:44:24:69 | this.ro ... .params | angular2-client.ts:24:44:24:73 | this.ro ... ams.foo |
-| angular2-client.ts:24:44:24:69 | this.ro ... .params | angular2-client.ts:24:44:24:73 | this.ro ... ams.foo |
-| angular2-client.ts:24:44:24:69 | this.ro ... .params | angular2-client.ts:24:44:24:73 | this.ro ... ams.foo |
-| angular2-client.ts:24:44:24:69 | this.ro ... .params | angular2-client.ts:24:44:24:73 | this.ro ... ams.foo |
-| angular2-client.ts:25:44:25:74 | this.ro ... yParams | angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
-| angular2-client.ts:25:44:25:74 | this.ro ... yParams | angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
-| angular2-client.ts:25:44:25:74 | this.ro ... yParams | angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
-| angular2-client.ts:25:44:25:74 | this.ro ... yParams | angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
-| angular2-client.ts:25:44:25:74 | this.ro ... yParams | angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
-| angular2-client.ts:25:44:25:74 | this.ro ... yParams | angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
-| angular2-client.ts:25:44:25:74 | this.ro ... yParams | angular2-client.ts:25:44:25:78 | this.ro ... ams.foo |
-| angular2-client.ts:26:44:26:71 | this.ro ... ragment | angular2-client.ts:26:44:26:71 | this.ro ... ragment |
-| angular2-client.ts:27:44:27:82 | this.ro ... ('foo') | angular2-client.ts:27:44:27:82 | this.ro ... ('foo') |
-| angular2-client.ts:28:44:28:87 | this.ro ... ('foo') | angular2-client.ts:28:44:28:87 | this.ro ... ('foo') |
-| angular2-client.ts:30:46:30:59 | map.get('foo') | angular2-client.ts:30:46:30:59 | map.get('foo') |
-| angular2-client.ts:33:44:33:74 | this.ro ... 1].path | angular2-client.ts:33:44:33:74 | this.ro ... 1].path |
-| angular2-client.ts:34:44:34:80 | this.ro ... ameters | angular2-client.ts:34:44:34:82 | this.ro ... eters.x |
-| angular2-client.ts:34:44:34:80 | this.ro ... ameters | angular2-client.ts:34:44:34:82 | this.ro ... eters.x |
-| angular2-client.ts:34:44:34:80 | this.ro ... ameters | angular2-client.ts:34:44:34:82 | this.ro ... eters.x |
-| angular2-client.ts:34:44:34:80 | this.ro ... ameters | angular2-client.ts:34:44:34:82 | this.ro ... eters.x |
-| angular2-client.ts:34:44:34:80 | this.ro ... ameters | angular2-client.ts:34:44:34:82 | this.ro ... eters.x |
-| angular2-client.ts:34:44:34:80 | this.ro ... ameters | angular2-client.ts:34:44:34:82 | this.ro ... eters.x |
-| angular2-client.ts:34:44:34:80 | this.ro ... ameters | angular2-client.ts:34:44:34:82 | this.ro ... eters.x |
-| angular2-client.ts:35:44:35:91 | this.ro ... et('x') | angular2-client.ts:35:44:35:91 | this.ro ... et('x') |
-| angular2-client.ts:36:44:36:89 | this.ro ... .params | angular2-client.ts:36:44:36:91 | this.ro ... arams.x |
-| angular2-client.ts:36:44:36:89 | this.ro ... .params | angular2-client.ts:36:44:36:91 | this.ro ... arams.x |
-| angular2-client.ts:36:44:36:89 | this.ro ... .params | angular2-client.ts:36:44:36:91 | this.ro ... arams.x |
-| angular2-client.ts:36:44:36:89 | this.ro ... .params | angular2-client.ts:36:44:36:91 | this.ro ... arams.x |
-| angular2-client.ts:36:44:36:89 | this.ro ... .params | angular2-client.ts:36:44:36:91 | this.ro ... arams.x |
-| angular2-client.ts:36:44:36:89 | this.ro ... .params | angular2-client.ts:36:44:36:91 | this.ro ... arams.x |
-| angular2-client.ts:36:44:36:89 | this.ro ... .params | angular2-client.ts:36:44:36:91 | this.ro ... arams.x |
-| angular2-client.ts:38:44:38:58 | this.router.url | angular2-client.ts:38:44:38:58 | this.router.url |
-| angular2-client.ts:40:45:40:59 | this.router.url | angular2-client.ts:40:45:40:59 | this.router.url |
-| angular2-client.ts:44:44:44:76 | routeSn ... ('foo') | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') |
+| angular2-client.ts:24:44:24:71 | \\u0275getDOM ... ().href | angular2-client.ts:24:44:24:71 | \\u0275getDOM ... ().href |
+| angular2-client.ts:26:44:26:69 | this.ro ... .params | angular2-client.ts:26:44:26:73 | this.ro ... ams.foo |
+| angular2-client.ts:26:44:26:69 | this.ro ... .params | angular2-client.ts:26:44:26:73 | this.ro ... ams.foo |
+| angular2-client.ts:26:44:26:69 | this.ro ... .params | angular2-client.ts:26:44:26:73 | this.ro ... ams.foo |
+| angular2-client.ts:26:44:26:69 | this.ro ... .params | angular2-client.ts:26:44:26:73 | this.ro ... ams.foo |
+| angular2-client.ts:26:44:26:69 | this.ro ... .params | angular2-client.ts:26:44:26:73 | this.ro ... ams.foo |
+| angular2-client.ts:26:44:26:69 | this.ro ... .params | angular2-client.ts:26:44:26:73 | this.ro ... ams.foo |
+| angular2-client.ts:26:44:26:69 | this.ro ... .params | angular2-client.ts:26:44:26:73 | this.ro ... ams.foo |
+| angular2-client.ts:27:44:27:74 | this.ro ... yParams | angular2-client.ts:27:44:27:78 | this.ro ... ams.foo |
+| angular2-client.ts:27:44:27:74 | this.ro ... yParams | angular2-client.ts:27:44:27:78 | this.ro ... ams.foo |
+| angular2-client.ts:27:44:27:74 | this.ro ... yParams | angular2-client.ts:27:44:27:78 | this.ro ... ams.foo |
+| angular2-client.ts:27:44:27:74 | this.ro ... yParams | angular2-client.ts:27:44:27:78 | this.ro ... ams.foo |
+| angular2-client.ts:27:44:27:74 | this.ro ... yParams | angular2-client.ts:27:44:27:78 | this.ro ... ams.foo |
+| angular2-client.ts:27:44:27:74 | this.ro ... yParams | angular2-client.ts:27:44:27:78 | this.ro ... ams.foo |
+| angular2-client.ts:27:44:27:74 | this.ro ... yParams | angular2-client.ts:27:44:27:78 | this.ro ... ams.foo |
+| angular2-client.ts:28:44:28:71 | this.ro ... ragment | angular2-client.ts:28:44:28:71 | this.ro ... ragment |
+| angular2-client.ts:29:44:29:82 | this.ro ... ('foo') | angular2-client.ts:29:44:29:82 | this.ro ... ('foo') |
+| angular2-client.ts:30:44:30:87 | this.ro ... ('foo') | angular2-client.ts:30:44:30:87 | this.ro ... ('foo') |
+| angular2-client.ts:32:46:32:59 | map.get('foo') | angular2-client.ts:32:46:32:59 | map.get('foo') |
+| angular2-client.ts:35:44:35:74 | this.ro ... 1].path | angular2-client.ts:35:44:35:74 | this.ro ... 1].path |
+| angular2-client.ts:36:44:36:80 | this.ro ... ameters | angular2-client.ts:36:44:36:82 | this.ro ... eters.x |
+| angular2-client.ts:36:44:36:80 | this.ro ... ameters | angular2-client.ts:36:44:36:82 | this.ro ... eters.x |
+| angular2-client.ts:36:44:36:80 | this.ro ... ameters | angular2-client.ts:36:44:36:82 | this.ro ... eters.x |
+| angular2-client.ts:36:44:36:80 | this.ro ... ameters | angular2-client.ts:36:44:36:82 | this.ro ... eters.x |
+| angular2-client.ts:36:44:36:80 | this.ro ... ameters | angular2-client.ts:36:44:36:82 | this.ro ... eters.x |
+| angular2-client.ts:36:44:36:80 | this.ro ... ameters | angular2-client.ts:36:44:36:82 | this.ro ... eters.x |
+| angular2-client.ts:36:44:36:80 | this.ro ... ameters | angular2-client.ts:36:44:36:82 | this.ro ... eters.x |
+| angular2-client.ts:37:44:37:91 | this.ro ... et('x') | angular2-client.ts:37:44:37:91 | this.ro ... et('x') |
+| angular2-client.ts:38:44:38:89 | this.ro ... .params | angular2-client.ts:38:44:38:91 | this.ro ... arams.x |
+| angular2-client.ts:38:44:38:89 | this.ro ... .params | angular2-client.ts:38:44:38:91 | this.ro ... arams.x |
+| angular2-client.ts:38:44:38:89 | this.ro ... .params | angular2-client.ts:38:44:38:91 | this.ro ... arams.x |
+| angular2-client.ts:38:44:38:89 | this.ro ... .params | angular2-client.ts:38:44:38:91 | this.ro ... arams.x |
+| angular2-client.ts:38:44:38:89 | this.ro ... .params | angular2-client.ts:38:44:38:91 | this.ro ... arams.x |
+| angular2-client.ts:38:44:38:89 | this.ro ... .params | angular2-client.ts:38:44:38:91 | this.ro ... arams.x |
+| angular2-client.ts:38:44:38:89 | this.ro ... .params | angular2-client.ts:38:44:38:91 | this.ro ... arams.x |
+| angular2-client.ts:40:44:40:58 | this.router.url | angular2-client.ts:40:44:40:58 | this.router.url |
+| angular2-client.ts:42:45:42:59 | this.router.url | angular2-client.ts:42:45:42:59 | this.router.url |
+| angular2-client.ts:43:75:43:105 | this.ro ... yParams | angular2-client.ts:43:75:43:109 | this.ro ... ams.foo |
+| angular2-client.ts:43:75:43:105 | this.ro ... yParams | angular2-client.ts:43:75:43:109 | this.ro ... ams.foo |
+| angular2-client.ts:43:75:43:105 | this.ro ... yParams | angular2-client.ts:43:75:43:109 | this.ro ... ams.foo |
+| angular2-client.ts:43:75:43:105 | this.ro ... yParams | angular2-client.ts:43:75:43:109 | this.ro ... ams.foo |
+| angular2-client.ts:43:75:43:105 | this.ro ... yParams | angular2-client.ts:43:75:43:109 | this.ro ... ams.foo |
+| angular2-client.ts:43:75:43:105 | this.ro ... yParams | angular2-client.ts:43:75:43:109 | this.ro ... ams.foo |
+| angular2-client.ts:43:75:43:105 | this.ro ... yParams | angular2-client.ts:43:75:43:109 | this.ro ... ams.foo |
+| angular2-client.ts:47:44:47:76 | routeSn ... ('foo') | angular2-client.ts:47:44:47:76 | routeSn ... ('foo') |
 | angular-tempate-url.js:13:30:13:31 | ev | angular-tempate-url.js:14:26:14:27 | ev |
 | angular-tempate-url.js:13:30:13:31 | ev | angular-tempate-url.js:14:26:14:27 | ev |
 | angular-tempate-url.js:14:26:14:27 | ev | angular-tempate-url.js:14:26:14:32 | ev.data |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular2-client.ts b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular2-client.ts
index 734a06da3bc1..6d1823c2f601 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular2-client.ts
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular2-client.ts
@@ -1,4 +1,4 @@
-import { Component, OnInit, DomSanitizer as DomSanitizer2 } from '@angular/core';
+import { Component, OnInit, DomSanitizer as DomSanitizer2, Renderer2, Inject } from '@angular/core';
 import { ɵgetDOM } from '@angular/common';
 import { ActivatedRoute, ActivatedRouteSnapshot, Router } from '@angular/router';
 import { DomSanitizer } from '@angular/platform-browser';
@@ -15,7 +15,9 @@ export class AppComponent implements OnInit {
     private route: ActivatedRoute,
     private sanitizer: DomSanitizer,
     private router: Router,
-    private sanitizer2: DomSanitizer2
+    private sanitizer2: DomSanitizer2,
+    private renderer: Renderer2,
+    @Inject(DOCUMENT) private document: Document
   ) {}
 
   ngOnInit() {
@@ -38,6 +40,7 @@ export class AppComponent implements OnInit {
     this.sanitizer.bypassSecurityTrustHtml(this.router.url); // NOT OK
 
     this.sanitizer2.bypassSecurityTrustHtml(this.router.url); // NOT OK
+    this.renderer.setProperty(this.document.documentElement, 'innerHTML', this.route.snapshot.queryParams.foo); // NOT OK
   }
 
   someMethod(routeSnapshot: ActivatedRouteSnapshot) {