Finish comment

java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll

@@ -13,8 +13,9 @@ import semmle.code.java.frameworks.spring.SpringController
 abstract class RequestGetMethod extends Method {
   RequestGetMethod() {
     not exists(MethodAccess ma |
+      // Exclude apparent GET handlers that read a request entity, because this is the principle of JSONP.
       ma.getMethod() instanceof ServletRequestGetBodyMethod and
-      any(this).polyCalls*(ma.getEnclosingCallable())
+      this.polyCalls*(ma.getEnclosingCallable())
     )
   }
 }

java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql

@@ -76,4 +76,4 @@ from DataFlow::PathNode source, DataFlow::PathNode sink, SensitiveGetQueryConfig
 where c.hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
   "$@ uses the GET request method to transmit sensitive information.", source.getNode(),
-  "This request"
+  "This request"