diff --git a/java/ql/lib/semmle/code/java/frameworks/Networking.qll b/java/ql/lib/semmle/code/java/frameworks/Networking.qll
index c473cc9fc09..f86cecd5b4e 100644
--- a/java/ql/lib/semmle/code/java/frameworks/Networking.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/Networking.qll
@@ -24,6 +24,11 @@ class TypeUrl extends RefType {
   TypeUrl() { this.hasQualifiedName("java.net", "URL") }
 }
 
+/** The type `java.net.URLDecoder`. */
+class TypeUrlDecoder extends RefType {
+  TypeUrlDecoder() { this.hasQualifiedName("java.net", "URLDecoder") }
+}
+
 /** The type `java.net.URI`. */
 class TypeUri extends RefType {
   TypeUri() { this.hasQualifiedName("java.net", "URI") }
@@ -157,6 +162,14 @@ class UrlOpenConnectionMethod extends Method {
   }
 }
 
+/** The method `java.net.URLDecoder::decode`. */
+class UrlDecodeMethod extends Method {
+  UrlDecodeMethod() {
+    this.getDeclaringType() instanceof TypeUrlDecoder and
+    this.getName() = "decode"
+  }
+}
+
 /** The method `javax.net.SocketFactory::createSocket`. */
 class CreateSocketMethod extends Method {
   CreateSocketMethod() {
diff --git a/java/ql/lib/semmle/code/java/security/UrlForward.qll b/java/ql/lib/semmle/code/java/security/UrlForward.qll
index f7001023689..be9bfb91043 100644
--- a/java/ql/lib/semmle/code/java/security/UrlForward.qll
+++ b/java/ql/lib/semmle/code/java/security/UrlForward.qll
@@ -41,8 +41,6 @@ abstract class UrlForwardBarrier extends DataFlow::Node { }
 
 private class PrimitiveBarrier extends UrlForwardBarrier instanceof SimpleTypeSanitizer { }
 
-// TODO: should this also take URL encoding/decoding into account?
-// TODO: and PathSanitization in general?
 private class FollowsBarrierPrefix extends UrlForwardBarrier {
   FollowsBarrierPrefix() { this.asExpr() = any(BarrierPrefix fp).getAnAppendedExpression() }
 }
@@ -58,9 +56,8 @@ private class BarrierPrefix extends InterestingPrefix {
 
 private class UrlPathBarrier extends UrlForwardBarrier instanceof PathInjectionSanitizer {
   UrlPathBarrier() {
-    this instanceof ExactPathMatchSanitizer //TODO: still need a better solution for this edge case...
+    this instanceof ExactPathMatchSanitizer
     or
-    // TODO: these don't enforce order of checks and PathSanitization... make bypass test cases.
     this instanceof NoEncodingBarrier
     or
     this instanceof FullyDecodesBarrier
@@ -71,7 +68,7 @@ abstract class UrlDecodeCall extends MethodCall { }
 
 private class DefaultUrlDecodeCall extends UrlDecodeCall {
   DefaultUrlDecodeCall() {
-    this.getMethod().hasQualifiedName("java.net", "URLDecoder", "decode") or // TODO: reuse existing class? Or make this a class?
+    this.getMethod() instanceof UrlDecodeMethod or
     this.getMethod().hasQualifiedName("org.eclipse.jetty.util.URIUtil", "URIUtil", "decodePath")
   }
 }