From 1781179e25f8344443ef41ffaa32b7de7e50c8e9 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Tue, 3 Mar 2020 09:50:02 +0100
Subject: [PATCH] doc fixes

---
 .../ql/src/semmle/javascript/security/dataflow/Xss.qll       | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
index f67dc5f7470..04501cdbf21 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
@@ -319,7 +319,7 @@ module ReflectedXss {
       send.getRouteHandler() = h and
       result = nonHtmlContentTypeHeader(h)
     |
-      // not the case that the control just exists without potentially going to the worksFor.
+      // The HeaderDefinition affects a response sent at `send`. 
       not isIrrelevantFor(result, send)
     )
   }
@@ -333,9 +333,10 @@ module ReflectedXss {
   }
 
   /**
-   * Holds if a header set in `header` is unlikely to affect a resonse send in `sender`.
+   * Holds if a header set in `header` is unlikely to affect a response sent at `sender`.
    */
   predicate isIrrelevantFor(HTTP::HeaderDefinition header, HTTP::ResponseSendArgument sender) {
+    sender.getRouteHandler() = header.getRouteHandler() and
     not header.getBasicBlock().getASuccessor*() = sender.getBasicBlock() and
     not sender.getBasicBlock().getASuccessor*() = header.getBasicBlock() and
     (